On 28/07/15 15:17, Jaap Akkerhuis via Unbound-users wrote: > > However if I hit Google's lookup servers with the same command from the > > same client machine, I get the expected response... > > The +trace option causes dig not to use the local resolver. From the > dig manual:
Not quite. If you use the +trace option, dig makes *one* query to its local resolver(s) to get a list of root name servers. Thereafter, it makes its own iterative queries. However, that initial query has RD=0, and unbound won't answer. Anonymous fongaboo will have to specifically allow cache snooping in unbound for this. This is a weird design choice in dig. It shouldn't rely on any resolvers for the initial query. It should just use a built-in list of root name servers, and prime itself, just like BIND does. Regards, Anand
