[Unbound-users] allowing cache queries but not doing recursion for "foreign" networks
Paul Wouters
paul at xelerance.com
Mon Feb 16 01:50:21 UTC 2009
On Sun, 15 Feb 2009, Robert Edmonds wrote:
> what is unbound specific is that unbound answers rd==0 queries which IMO
> it should
>From the man page:
The allow action does allow nonrecursive queries to access the
local-data that is configured. The reason is that this does not
involve the unbound server recursive lookup algorithm, and
static data is served in the reply. This supports normal opera-
tions where nonrecursive queries are made for the authoritative
data. For nonrecursive queries any replies from the dynamic
cache are refused.
The action allow_snoop gives nonrecursive access too. This give
both recursive and non recursive access. The name allow_snoop
refers to cache snooping, a technique to use nonrecursive
queries to examine the cache contents (for malicious acts).
However, nonrecursive queries can also be a valuable debugging
tool (when you want to examine the cache contents).
It is to support certain common deployment scenarios, that involve
adding static or (LEA) override data, forwarding auth queries, etc.
> (dnscache seems to have not suffered for its decision to drop all rd==0
> queries on the floor.)
If djb only always followed RFC :)
Paul
More information about the Unbound-users
mailing list