Maintained by: NLnet Labs

[Unbound-users] unbound refuses to respons non-recursive queries

Phil Pennock
Fri May 20 12:56:12 CEST 2011


On 2011-05-19 at 13:15 -0400, Robert Edmonds wrote:
> RD bit cleared towards a recursive server is a cache snooping attempt.

Or just someone invoking { dig +trace }, which normally talks only to
auth servers but leaves RD cleared for the priming query to the local
cache to find the root servers.

Yes, it's a bug in dig(1), but dig(1) is widespread.

This was the only glitch I encountered when deploying unbound.

The ideal pragmatic response would be to treat RD cleared for queries
for "." specially, defaulting the ACL for that to be the same as that
for making recursive queries -- there's no privacy implications for
letting someone query the root server list, so no reason to lock it down
to a smaller group than can issue recursive queries.

But it's unclean bug-compatibility and perhaps not worth the
administrative complexity of another special-case.

-Phil