Maintained by: NLnet Labs

Can't dig +trace?

Anand Buddhdev
Tue Jul 28 15:35:32 CEST 2015

On 28/07/15 15:17, Jaap Akkerhuis via Unbound-users wrote:

>  > However if I hit Google's lookup servers with the same command from the 
>  > same client machine, I get the expected response...
> The +trace option causes dig not to use the local resolver. From the
> dig manual:

Not quite. If you use the +trace option, dig makes *one* query to its
local resolver(s) to get a list of root name servers. Thereafter, it
makes its own iterative queries. However, that initial query has RD=0,
and unbound won't answer. Anonymous fongaboo will have to specifically
allow cache snooping in unbound for this.

This is a weird design choice in dig. It shouldn't rely on any resolvers
for the initial query. It should just use a built-in list of root name
servers, and prime itself, just like BIND does.