Package: unbound Version: 1.17.1-2+deb12u2 Severity: normal X-Debbugs-Cc: d...@darkboxed.org
Hi Michael, Robert, I'm sure you're aware that unbound has [long since] been broken with dig +trace because the root NS query it performs, essentially `dig NS . +nordflag`, rubs unbound the wrong way for what I surmise are upstream fears of cache probing with RD=0. Upstream suggests using a allow_snoop=yes ACL, but in my case I want +trace to work on the entire network but this would open up cache probing attacks again. [long since]: 14y old report, https://unbound-users.unbound.narkive.com/sHX2cidL/dig-trace-does-not-work-with-unbound [Recently] dig was updated to use RD=1 instead. However I find that unbound will still not respond with the set of root nameservers as I'd expect so that's not going to help either: $ dig +rdflag NS . @::1 ; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> +rdflag NS . @::1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20394 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 20 (Not Authoritative) ;; QUESTION SECTION: ;. IN NS ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Tue Jan 28 22:32:38 CET 2025 ;; MSG SIZE rcvd: 34 [Recently]: https://gitlab.isc.org/isc-projects/bind9/-/issues/1028 Now I do not really understand why unbound behaves like this. The root server list is clearly local data RD shouldn't matter at all, no? I tried some config workarounds to fix this: 1) serving "." using an auth-zone. nope :) 2) local-zone: transparent. didn't really expect that to work tbh. I'll probably end up sending a patch upstream for this when I get around to digging deeper into the code. Would you also accept it? Thanks, --Daniel -- System Information: Debian Release: 12.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-26-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages unbound depends on: ii adduser 3.134 ii init-system-helpers 1.65.2 ii libc6 2.36-9+deb12u8 ii libevent-2.1-7 2.1.12-stable-8 ii libnghttp2-14 1.52.0-1+deb12u1 ii libprotobuf-c1 1.4.1-1+b1 ii libpython3.11 3.11.2-6+deb12u3 ii libssl3 3.0.14-1~deb12u2 ii libsystemd0 252.30-1~deb12u2 ii lsb-base 11.6 ii sysvinit-utils [lsb-base] 3.06-4 Versions of packages unbound recommends: ii dns-root-data 2024041801~deb12u1 Versions of packages unbound suggests: ii apparmor 3.0.8-3 ii openssl 3.0.14-1~deb12u2 -- no debconf information
signature.asc
Description: PGP signature
