Hei,
We have a customer complaining that he can't use "dig +trace". I have the
idea that it's because dig in trace mode tries to fetch the list of root
name servers in a non-recursive way, which is forbidden by unbound by
default at least. Unbound document says, it is possible if you configure
allow_snoop, but it also states that it should be set only for the
administrators or so. However, our customer states, that we _must_ support
it for every customers since, he gave this information as explanation about
his request:
RFC1034
"All name servers must implement non-recursive queries."
Now I am a bit uncertain about the situation. If he is right, unbound is not
RFC compatible without this snoop support configured? Also then the
documentation of unbound should not mention that this settings should not be
used only for the adminstrators (for debug purposes), since it seems an RFC
(which is also an STD: STD13) requires it, so here we have a "MUST" (RFC) and
"should not" (unbound documentation) conflict.
Please help me to understand the situation. If it is not needed to support
(I misunderstood the RFC, or another RFC obsolates this one, etc), please
give me some hint what I should look for to explain the lack of this feature
for our customer.
Thanks a lot in advance!
- Gábor Lénárt
Gábor,
Unbound implements non-recursive queries. Try:
$ dig +norec localhost @<your_ip>
It refuses to answer with data from cache e.g. for which he is not
authoritative (all domains expect localhost, reverse 127.0.0.1 and
::1, and the AS112 zones, and those defined by you in local-data
statement).
Ondrej
Ondřej,
Gábor,
Unbound implements non-recursive queries. Try:
$ dig +norec localhost @<your_ip>
It refuses to answer with data from cache e.g. for which he is not
authoritative (all domains expect localhost, reverse 127.0.0.1 and
::1, and the AS112 zones, and those defined by you in local-data
statement).
Thanks for your answer! Yes, I more or less understand/have understood this,
but he interprets RFCs this way: non-recursive queries must be supported for other
domains too (not just about localhost, ... etc), or at least about the list
of root name servers. Is he wrong? Can you tell me where it is written (as
RFC or other more-or-less standard resource) that the minimal set of
"domains" to support for non-recursive queries _must_ be the list you provided
in your reply and not other (like query the list of root nameserves, what he
wants)? Hopefully I am not so off-topic here, since it's not so unbound related
topic anymore, it seems! Anyway, thanks for your answer again!
- Gábor
Ondřej,
Gábor,
Unbound implements non-recursive queries. Try:
$ dig +norec localhost @<your_ip>
It refuses to answer with data from cache e.g. for which he is not
authoritative (all domains expect localhost, reverse 127.0.0.1 and
::1, and the AS112 zones, and those defined by you in local-data
statement).
Thanks for your answer! Yes, I more or less understand/have understood this,
but he interprets RFCs this way: non-recursive queries must be supported for other
domains too (not just about localhost, ... etc), or at least about the list
of root name servers. Is he wrong?
That's a non-sense. See below.
Can you tell me where it is written (as
RFC or other more-or-less standard resource) that the minimal set of
"domains" to support for non-recursive queries _must_ be the list you provided
in your reply
No domains MUST be provided. You can find a list of domains which
SHOULD be provided in RFC1912 section 4.1
and not other (like query the list of root nameserves, what he wants)?
According to my understanding of RFC, server MUST implement
non-recursion just for those domains it is authoritative for. In case
of recursive resolver it could be no domains. So you would respond to
queries with no-RD bit only if you configured DNS server as
authoritative. DNS Cache Snooping is considered as a security
disclosure by some people (e.g. you can snoop on other people).
Ondrej
That seems rather out of context, as it is talking about authoritative
nameservers there. Note that RFC 1034 talks about "Name servers" and
"resolvers" where these days we talk about "authoratative name servers"
and "recursive name servers" (resolvers). See RFC1034 Section 2.4
Paul
* Gábor Lénárt:
We have a customer complaining that he can't use "dig +trace".
Just use "dig +trace @a.root-servers.net". It's a bit inconvenient,
but it's not the end of the world.
Yes yes, this was the one I've recommended for him too 
Just he tried to
make us implement the "comfortable" way with the explanation that RFCs says
we must support it. Thanks for all for the answers, and yes, of course I
found that odd too, to implement non-recursive queries on a recursive-only
nameserver for _all_ domains (or at least for root nameserver), it's quite
non-sense, just I wanted to ask you how I can explain the problem with this
idea in a way that he can accept.
Btw, I found it a bit odd, that dig don't have the heuristic to find this
out, to try to fetch the list of root nameservers with recursive query too,
or fall back to a built-in list (as nameservers uses root hints file
too in some way).
Thanks!
Not everyone uses the same root nameservers...
Cheers