[Unbound-users] unbound refuses to respons non-recursive queries

[Phil Pennock]

On 2011-05-19 at 13:15 -0400, Robert Edmonds wrote:
> RD bit cleared towards a recursive server is a cache snooping attempt.

Or just someone invoking { dig +trace }, which normally talks only to
auth servers but leaves RD cleared for the priming query to the local
cache to find the root servers.

Yes, it's a bug in dig(1), but dig(1) is widespread.

This was the only glitch I encountered when deploying unbound.

The ideal pragmatic response would be to treat RD cleared for queries
for "." specially, defaulting the ACL for that to be the same as that
for making recursive queries -- there's no privacy implications for
letting someone query the root server list, so no reason to lock it down
to a smaller group than can issue recursive queries.

But it's unclean bug-compatibility and perhaps not worth the
administrative complexity of another special-case.

-Phil