dig +trace question

Anand Buddhdev anandb at ripe.net
Fri Jun 21 07:15:04 UTC 2019


On 21/06/2019 04:55, Ronald F. Guilmette wrote:

> What is it about unbound/local-unbound that makes it not plug and play well
> with dig +trace?  What is it that Google's public name servers are doing
> that a local running instance of unbound and/or local-unbound isn't doing?

This is a very subtle bug.

Unbound does NOT allow non-recursive queries by default. If you want to
allow non-recursive queries, you have to configure this with the
"allow_snoop" ACL.

Now, dig with +trace used to send all its queries without setting the RD
flag. Most recursive resolvers don't mind, and will still answer.
However, unbound doesn't like this. When you run dig with +trace, and
you don't provide it a root name server to start with, then it asks the
local resolver for ./NS, without the RD flag, and unbound won't answer.

Funnily enough, this issue was noticed by Tore Anderson, who correctly
said that dig, even with +trace, should do its initial ./NS query WITH
the RD flag set. He reported it to ISC in issue #1028, and it has been
fixed with BIND version 9.14.3. So if you are able to try this newest
version with your setup, I hypothesise that it will work.

Regards,
Anand Buddhdev
RIPE NCC


More information about the bind-users mailing list