Maintained by: NLnet Labs

[Unbound-users] unbound refuses to respons non-recursive queries

Robert Edmonds
Fri May 20 17:15:39 CEST 2011


Phil Pennock wrote:
> On 2011-05-19 at 13:15 -0400, Robert Edmonds wrote:
> > RD bit cleared towards a recursive server is a cache snooping attempt.
> 
> Or just someone invoking { dig +trace }, which normally talks only to
> auth servers but leaves RD cleared for the priming query to the local
> cache to find the root servers.
> 
> Yes, it's a bug in dig(1), but dig(1) is widespread.
> 
> This was the only glitch I encountered when deploying unbound.
> 
> The ideal pragmatic response would be to treat RD cleared for queries
> for "." specially, defaulting the ACL for that to be the same as that
> for making recursive queries -- there's no privacy implications for
> letting someone query the root server list, so no reason to lock it down
> to a smaller group than can issue recursive queries.
> 
> But it's unclean bug-compatibility and perhaps not worth the
> administrative complexity of another special-case.

oh yes, i've been using "dig +trace +norec @f.root-servers.net" for so
long i'd forgotten about that.

-- 
Robert Edmonds
edmonds at debian.org