[Unbound-users] unbound refuses to respons non-recursive queries
Robert Edmonds
edmonds at debian.org
Fri May 20 15:15:39 UTC 2011
Phil Pennock wrote:
> On 2011-05-19 at 13:15 -0400, Robert Edmonds wrote:
> > RD bit cleared towards a recursive server is a cache snooping attempt.
>
> Or just someone invoking { dig +trace }, which normally talks only to
> auth servers but leaves RD cleared for the priming query to the local
> cache to find the root servers.
>
> Yes, it's a bug in dig(1), but dig(1) is widespread.
>
> This was the only glitch I encountered when deploying unbound.
>
> The ideal pragmatic response would be to treat RD cleared for queries
> for "." specially, defaulting the ACL for that to be the same as that
> for making recursive queries -- there's no privacy implications for
> letting someone query the root server list, so no reason to lock it down
> to a smaller group than can issue recursive queries.
>
> But it's unclean bug-compatibility and perhaps not worth the
> administrative complexity of another special-case.
oh yes, i've been using "dig +trace +norec @f.root-servers.net" for so
long i'd forgotten about that.
--
Robert Edmonds
edmonds at debian.org
More information about the Unbound-users
mailing list