On 21/06/2019 04:55, Ronald F. Guilmette wrote: > What is it about unbound/local-unbound that makes it not plug and play well > with dig +trace? What is it that Google's public name servers are doing > that a local running instance of unbound and/or local-unbound isn't doing?
This is a very subtle bug. Unbound does NOT allow non-recursive queries by default. If you want to allow non-recursive queries, you have to configure this with the "allow_snoop" ACL. Now, dig with +trace used to send all its queries without setting the RD flag. Most recursive resolvers don't mind, and will still answer. However, unbound doesn't like this. When you run dig with +trace, and you don't provide it a root name server to start with, then it asks the local resolver for ./NS, without the RD flag, and unbound won't answer. Funnily enough, this issue was noticed by Tore Anderson, who correctly said that dig, even with +trace, should do its initial ./NS query WITH the RD flag set. He reported it to ISC in issue #1028, and it has been fixed with BIND version 9.14.3. So if you are able to try this newest version with your setup, I hypothesise that it will work. Regards, Anand Buddhdev RIPE NCC _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
