Why is Unbound not like a `dig +trace`?
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Wed Sep 24 08:28:24 UTC 2025
Hi François,
On 24/09/2025 00:20, François Lafont via Unbound-users wrote:
> After some searches I think I have the answer.
>
> According to the RFC 1034 (maybe in 5.3.3), nothing forces a recursive
> DNS resolver to behave like a `dig +trace`, end of story.
> Is that about right?
>
> At least I have learned how to compile unbound from source and run it in
> a docker. :)
>
> Bye.
>
What you are seeing is qname-minimisation [1] in action.
When Unbound does not yet know the delegation points in the DNS tree, it
will try to slowly discover them without revealing more information than
necessary to the parent domains.
The query type used while doing so is "A" as you have seen.
You can read more about qname minimisation in RFC 9156 [2].
Best regards,
-- Yorgos
[1]
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-qname-minimisation
[2] https://www.rfc-editor.org/rfc/rfc9156
More information about the Unbound-users
mailing list