Tony Finch <d...@dotat.at> writes: > Bjørn Mork <bj...@mork.no> wrote: >> >> Recently I noticed a side effect of this configuration which I consider >> unwanted and unexpected: It changes how BIND replies to requests without >> the RD bit set. BIND will normally answer such requests with a "best >> possible redirection", using any matching NS set it has in its cache. >> Which often will be the root NS. But using the RFC7706 example config, >> BIND will REFUSE all requests without RD set. > > I agree this behaviour is unhelpful and weird. It seems to come from the > following bit of the source, though the comment doesn't help very much to > explain the whys or wherefores. > https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/query.c;h=0cfdf9288fb16a8f991e7a31f3248118add691d5;hb=HEAD#l1040 > > /* > * Non recursive query to a static-stub zone is prohibited; its > * zone content is not public data, but a part of local configuration > * and should not be disclosed. > */ > if (dns_zone_gettype(zone) == dns_zone_staticstub && > !RECURSIONOK(client)) { > return (DNS_R_REFUSED); > }
Thanks for the code pointer! I tried looking at the git commit log, but it didn't help explaining this either. The comment and test were part of the commit adding the "static-stub" feature. > You might be able to work around the problem by adding a > match-recursion-only option to the recursive view, and adding a > non-recursive view that has allow-query-cache, and use attach-cache > so all views share the same cache. I have not tried this :-) And the main objection I hear wrt RFC7706 is that it complicates the config :) Bjørn _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
