[Unbound-users] unbound refuses to respons non-recursive queries
Robert Edmonds
edmonds at debian.org
Fri May 20 15:38:28 UTC 2011
Paul Wouters wrote:
> unbound is not an authoritative server. It should only see recursive queries.
btw, i noticed that unbound seems not to echo the question section in
REFUSED answers:
query: [17 octets]
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6493
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
---
response: [12 octets]
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 6493
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
---
vs a BIND9 REFUSED:
query: [17 octets]
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55918
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
---
response: [17 octets]
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 55918
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
---
i'm not proposing that unbound mimic the BIND9 behavior exactly, but i
was somewhat surprised (in the spirit of draft-vixie-dnsext-dns0x20 and
draft-wijngaards-dnsext-resolver-side-mitigation) that responders don't
universally err on the side of paranoia by always copying the question
section exactly from query to response (excepting the case of a format
error while reading the query's question section, of course).
--
Robert Edmonds
edmonds at debian.org
More information about the Unbound-users
mailing list