From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: Prevent Unbound from penalty upstream server
To: OpenBSD tech <tech@openbsd.org>, "Kirill A. Korinsky" <kirill@korins.ky>
Date: Fri, 10 May 2024 19:30:36 +0100

On 2024/05/10 18:44, Kirill A. Korinsky wrote:
> On Fri, 10 May 2024 14:53:11 +0100,
> Stuart Henderson <stu@spacehopper.org> wrote:
> > 
> > I'd like to wait until the discussion with upstream goes further before
> > making any changes to the default config.
> >
> 
> Well, this issue is opened since December 2020... and I bet that it won't go
> any future, but I'll ba back to this in couple of months.

But for much of that time there was confusion between the difference
between NXDOMAIN experienced while recursing (where this unbound
behaviour was intentional, though now appears might be an issue with
these [rather weakly coded, tbh...] rbldns daemons) and NXDOMAIN on
the actual query (not intended to trigger).

I bet the real fix is a code change and ideally I'd not like to
encourage users to add more to their unbound.conf (which is likely
to stay around forever, even if the problem is fixed properly)
which reduce effectiveness of an intentional feature to reduce
risk of overloading poorly configured/coded DNS servers. (One
could also take the view that it's working as expected...)