When using a forwarder, zones that return CNAME queries at the apex fail to validate
In theory CNAME and DS records should never potentially exist at the same name. When servers return CNAME for apex queries this property is broken resulting in caches where DS and CNAME can both appear at the same name. The attached named.run show this using the named.conf below which implements both the local recursive server and forwarder within the one process. Restrict the operating family to IPv4 and turned off qname-minimization and empty-zones-enable to reduce the extraneous logging.
bin/named/named -g -c named.conf -d 100 -4 > & named.run
dig -p 7777 @127.0.0.1 am-explorer.com
key forward {
algorithm hmac-sha256;
secret "aaaabbbbccccdddd";
};
options {
listen-on port 7777 { any; };
listen-on-v6 port 7777 { any; };
pid-file none;
qname-minimization off;
empty-zones-enable no;
};
view local {
server 127.0.0.1 { keys forward; };
match-clients { !key forward; any; };
forwarders port 7777 { 127.0.0.1; };
forward only;
};
view forward {
match-clients { key forward; };
};
Edited by Mark Andrews