Dig +trace does not work with unbound

Zbynek_Michl · November 5, 2010, 1:17pm

Hi,

when I enable tracing in dig, I will get empty answer:

$ dig +trace www.example.com
; <<>> DiG 9.7.1-P2 <<>> +trace www.example.com
;; global options: +cmd
;; Received 12 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

It is because +trace disables RD flag, so first query and reply is:

$ dig +norecurse . NS
; <<>> DiG 9.7.1-P2 <<>> +norecurse . NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 23919
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 5 14:01:12 2010
;; MSG SIZE rcvd: 12

When I use BIND instead of unbound, it replies ok. It is because BIND answers its internal root-hints NS list when RD is not set. Should not unbound behaves the same way?

Thanks,
Zbynek

Dustin_Marquess · November 5, 2010, 3:11pm

dig +trace works fine if you change your unbound.conf from:

access-control: 127.0.0.0/8 allow

to

access-control: 127.0.0.0/8 allow_snoop

Adjust IP as needed :).

-Dustin

Alexander_Clouter · November 5, 2010, 3:54pm

*sigh*

Not like this is not in the mailing list archives or instructions.

'allow' => 'allow_snoop'

Cheers

Hauke_Lampe · November 5, 2010, 4:10pm

Unbound usually only answers recusive queries. You can allow
non-recursive queries with the "allow_snoop" option:

access-control: 127.0.0.0/8 allow_snoop

Hauke.

Carsten_Strotmann1 · November 8, 2010, 12:34pm

Hello Zbynek Michl,

this question has been discussed multiple times on this list. A detailed
discussion can be found at:
https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQ&CategoryID=21&ItemID=75

-- Carsten