Maintained by: NLnet Labs

[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks

Paul Wouters
Mon Feb 16 02:50:21 CET 2009


On Sun, 15 Feb 2009, Robert Edmonds wrote:

> what is unbound specific is that unbound answers rd==0 queries which IMO
> it should 

>From the man page:

The  allow  action does allow nonrecursive queries to access the
local-data that is configured.  The reason is that this does not
involve  the  unbound  server  recursive  lookup  algorithm, and
static data is served in the reply.  This supports normal opera-
tions  where nonrecursive queries are made for the authoritative
data.  For nonrecursive queries any  replies  from  the  dynamic
cache are refused.

The action allow_snoop gives nonrecursive access too.  This give
both recursive and non recursive access.  The  name  allow_snoop
refers  to  cache  snooping,  a  technique  to  use nonrecursive
queries to examine the  cache  contents  (for  malicious  acts).
However,  nonrecursive  queries can also be a valuable debugging
tool (when you want to examine the cache contents). 

It is to support certain common deployment scenarios, that involve
adding static or (LEA) override data, forwarding auth queries, etc.

> (dnscache seems to have not suffered for its decision to drop all rd==0
> queries on the floor.)

If djb only always followed RFC :)

Paul