2013/1/11 W.C.A. Wijngaards <[email protected]>: > On 01/11/2013 08:37 AM, Alexander E. Patrakov wrote: >> I found a difference in behaviour between Unbound and BIND. Could >> you please explain if this is intentional? > > Yes this was intentional. It is copied from NSD. It rejects a query > that has unknown components, because the server does not support this > sort of query. FORMERR, because this rcode means there was something > wrong with the query.
OK, I see. > Is there some reason you want this? My company develops parental control software. One of its functions is to redirect all DNS queries originating from the user's computer to our DNS servers, adding a record to the additional section for user tracking purposes. Now imagine what happens if a user with our software connects e.g. to a network where an administrator redirects all DNS queries to his own nameservers running unbound (and there are valid legal reasons why this redirection is necessary in a number of cases). Now all users of our software get FORMERRs. Well, the software fails closed, but some would prefer it to fail open. And here is why I have chosen the additional section as the place for the user-tracking record: IETF did the same >10 years ago when the OPT record was standardized. They trusted the implementors of DNS servers to ignore stuff in the additional section that they don't understand (see http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS). And now unbound wastes this trust. So in fact that's a general case of the "be liberal in what you accept" rule. Yes, my software also has a bug that it does not retry without that user-tracking additional record on a FORMERR. -- Alexander E. Patrakov _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
