Atac.fr DNS problem

Stephane_Bortzmeyer · August 26, 2009, 12:47pm

a message of 18 lines which said:

Please post full trace output, e.g. the result of "dig www.atac.fr
+trace +all +norecurse" if you still can reproduce the issue.

Interesting, this set of options do not work with an Unbound resolver:

% dig www.atac.fr +trace +all +norecurse

; <<>> DiG 9.5.1-P3 <<>> www.atac.fr +trace +all +norecurse
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1483
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Aug 26 14:45:27 2009
;; MSG SIZE rcvd: 12

Hauke_Lampe1 · August 26, 2009, 2:45pm

Stephane Bortzmeyer wrote:

Interesting, this set of options do not work with an Unbound resolver:

% dig www.atac.fr +trace +all +norecurse

The same problem exists with BIND and "match-recursive-only yes;".

dig +trace first queries the resolver in /etc/resolv.conf for ". NS"
without setting the RD bit. Unbound refuses non-recursive queries.
8
There's no way around that without changing dig's source code, AFAIK.

Hauke.

Gareth_Hopkins · August 26, 2009, 3:26pm

Hi Stephane,

You need to add ‘allow_snoop’ to your access-control statement in unbound.conf

Example

access-control: 0.0.0.0/0 allow_snoop

Cheers,

Gareth