Maintained by: NLnet Labs

[Unbound-users] also non-recursive support (snoop) by default?

Ondřej Surý
Thu Feb 4 15:23:00 CET 2010


On Thu, Feb 4, 2010 at 15:05, Gábor Lénárt <lgb at lgb.hu> wrote:
> Ondřej,
>
> On Thu, Feb 04, 2010 at 02:24:00PM +0100, Ondřej Surý wrote:
>> Gábor,
>>
>> Unbound implements non-recursive queries. Try:
>>
>> $ dig +norec localhost @<your_ip>
>>
>> It refuses to answer with data from cache e.g. for which he is not
>> authoritative (all domains expect localhost, reverse 127.0.0.1 and
>> ::1, and the AS112 zones, and those defined by you in local-data
>> statement).
>
> Thanks for your answer! Yes, I more or less understand/have understood this,
> but he interprets RFCs this way: non-recursive queries must be supported for other
> domains too (not just about localhost, ...  etc), or at least about the list
> of root name servers.  Is he wrong?

That's a non-sense. See below.

> Can you tell me where it is written (as
> RFC or other more-or-less standard resource) that the minimal set of
> "domains" to support for non-recursive queries _must_ be the list you provided
> in your reply

No domains MUST be provided. You can find a list of domains which
SHOULD be provided in RFC1912 section 4.1

> and not other (like query the list of root nameserves, what he wants)?

According to my understanding of RFC, server MUST implement
non-recursion just for those domains it is authoritative for. In case
of recursive resolver it could be no domains.  So you would respond to
queries with no-RD bit only if you configured DNS server as
authoritative. DNS Cache Snooping is considered as a security
disclosure by some people (e.g. you can snoop on other people).

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/