Why is Unbound not like a `dig +trace`?
François Lafont
francois.lafont.1978 at gmail.com
Wed Sep 24 09:16:43 UTC 2025
Hi Yorgos,
On 9/24/25 10:28, Yorgos Thessalonikefs via Unbound-users wrote:
>
> What you are seeing is qname-minimisation [1] in action.
> When Unbound does not yet know the delegation points in the DNS tree, it will try to slowly discover them without revealing more information than necessary to the parent domains.
> The query type used while doing so is "A" as you have seen.
>
> You can read more about qname minimisation in RFC 9156 [2].
>
> Best regards,
> -- Yorgos
>
> [1] https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-qname-minimisation
>
> [2] https://www.rfc-editor.org/rfc/rfc9156
Ok, many thanks for your answer. So this feature is a way to protect my privacy. :)
I have done my tests again and of course, as you say:
* with "qname-minimisation: yes" (the default) a `dig in.ac-versailles.fr CAA` failed (timeout).
* with "qname-minimisation: no" a `dig in.ac-versailles.fr CAA` works. \o/
That's really interesting. We learn something new every day with DNS. :)
Thanks again.
Bye.
--
François Lafont
More information about the Unbound-users
mailing list