Hello.
On 09/10/2025 11.36, Jiri Masek via knot-resolver-users wrote:
did same deployment again and it seem configuration
works correctly. Only difference from Knot Resolver 5 is that now forwarded queries are
cached - which is a good thing. So my previous config must contain some mistake.
I'm glad to hear that. I think that caching should work well now for
these cases - that even when an NSEC* record from non-forwarded DNS
would cover your query, it shouldn't be used. At least unless I
misremembered or some bug sneaked in. For example, querying coop1 as
query would add NSEC for coop->corsica, proving that no .corp exists and
subsequently using that to immediately NXDOMAIN.
--Vladimir