[Unbound-users] unbound refuses to respons non-recursive queries
Phil Pennock
unbound-users+phil at spodhuis.org
Fri May 20 10:56:12 UTC 2011
On 2011-05-19 at 13:15 -0400, Robert Edmonds wrote:
> RD bit cleared towards a recursive server is a cache snooping attempt.
Or just someone invoking { dig +trace }, which normally talks only to
auth servers but leaves RD cleared for the priming query to the local
cache to find the root servers.
Yes, it's a bug in dig(1), but dig(1) is widespread.
This was the only glitch I encountered when deploying unbound.
The ideal pragmatic response would be to treat RD cleared for queries
for "." specially, defaulting the ACL for that to be the same as that
for making recursive queries -- there's no privacy implications for
letting someone query the root server list, so no reason to lock it down
to a smaller group than can issue recursive queries.
But it's unclean bug-compatibility and perhaps not worth the
administrative complexity of another special-case.
-Phil
More information about the Unbound-users
mailing list