On Thu, Feb 4, 2010 at 15:05, Gábor Lénárt <lgb at lgb.hu> wrote: > Ondřej, > > On Thu, Feb 04, 2010 at 02:24:00PM +0100, Ondřej Surý wrote: >> Gábor, >> >> Unbound implements non-recursive queries. Try: >> >> $ dig +norec localhost @<your_ip> >> >> It refuses to answer with data from cache e.g. for which he is not >> authoritative (all domains expect localhost, reverse 127.0.0.1 and >> ::1, and the AS112 zones, and those defined by you in local-data >> statement). > > Thanks for your answer! Yes, I more or less understand/have understood this, > but he interprets RFCs this way: non-recursive queries must be supported for other > domains too (not just about localhost, ... etc), or at least about the list > of root name servers. Is he wrong? That's a non-sense. See below. > Can you tell me where it is written (as > RFC or other more-or-less standard resource) that the minimal set of > "domains" to support for non-recursive queries _must_ be the list you provided > in your reply No domains MUST be provided. You can find a list of domains which SHOULD be provided in RFC1912 section 4.1 > and not other (like query the list of root nameserves, what he wants)? According to my understanding of RFC, server MUST implement non-recursion just for those domains it is authoritative for. In case of recursive resolver it could be no domains. So you would respond to queries with no-RD bit only if you configured DNS server as authoritative. DNS Cache Snooping is considered as a security disclosure by some people (e.g. you can snoop on other people). Ondrej -- Ondřej Surý <ondrej at sury.org> http://blog.rfc1925.org/