Thanks for everyone's responses. An enlightening thread, and I fully
understand now.
FONG
On Tue, 28 Jul 2015, Anand Buddhdev via Unbound-users wrote:
On 28/07/15 15:17, Jaap Akkerhuis via Unbound-users wrote:
> However if I hit Google's lookup servers with the same command from the
> same client machine, I get the expected response...
The +trace option causes dig not to use the local resolver. From the
dig manual:
Not quite. If you use the +trace option, dig makes *one* query to its
local resolver(s) to get a list of root name servers. Thereafter, it
makes its own iterative queries. However, that initial query has RD=0,
and unbound won't answer. Anonymous fongaboo will have to specifically
allow cache snooping in unbound for this.
This is a weird design choice in dig. It shouldn't rely on any resolvers
for the initial query. It should just use a built-in list of root name
servers, and prime itself, just like BIND does.
Regards,
Anand
