Maintained by: NLnet Labs

[Unbound-users] unbound refuses to respons non-recursive queries

Robert Edmonds
Fri May 20 17:38:28 CEST 2011


Paul Wouters wrote:
> unbound is not an authoritative server. It should only see recursive queries.

btw, i noticed that unbound seems not to echo the question section in
REFUSED answers:

    query: [17 octets]
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6493
    ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;. IN NS

    ;; ANSWER SECTION:

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:
    ---
    response: [12 octets]
    ;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 6493
    ;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:

    ;; ANSWER SECTION:

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:
    ---

vs a BIND9 REFUSED:

    query: [17 octets]
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55918
    ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;. IN NS

    ;; ANSWER SECTION:

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:
    ---
    response: [17 octets]
    ;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 55918
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;. IN NS

    ;; ANSWER SECTION:

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:
    ---

i'm not proposing that unbound mimic the BIND9 behavior exactly, but i
was somewhat surprised (in the spirit of draft-vixie-dnsext-dns0x20 and
draft-wijngaards-dnsext-resolver-side-mitigation) that responders don't
universally err on the side of paranoia by always copying the question
section exactly from query to response (excepting the case of a format
error while reading the query's question section, of course).

-- 
Robert Edmonds
edmonds at debian.org