-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
On 23/11/15 06:31, Steinar Haug via Unbound-users wrote: >> I have a few recursive name servers running Debian. I have >> recently upgraded the packages I was running from Jessie >> (1.4.22-3) to testing (1.5.6-1). Since the upgrade I have noticed >> when testing using dig on domains that not all records get >> returned for an any query. > > The usual interpretation of an ANY query is that a recursive name > server will return all the records *it has cached*, while an > authoritative name server will simply return *all records*. This > could be the reason for what you are seeing. Also, this is an early interpretation of the draft https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-00 . This is to limit dos attacks with qtype ANY, while being protocol conformant (i.e. DNSSEC and mail programs). It returns not all, but some rrset entries, if those are in cache. On the topic of dos attacks, your new version of unbound has ratelimiting with the option ratelimit: 100 or something (ratelimits new, uncached queries per zone ; but does not ratelimit prefetches). Best regards, Wouter > > Steinar Haug, Nethelp consulting, [email protected] > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIbBAEBCAAGBQJWUsieAAoJEJ9vHC1+BF+NiLoP+JY0T1UEaPrydnsVNSJWlv96 VQNTCNNUtfeBD+r+/0O3Dk0gQ5ToAhMoqYLqodCf763lu/jLGr1CHjh4c2/DAQVM 3JwQaodW4VfLXYOC7GLhGzqaAWoj+9DQkD1P0fmIXy4uDqESPr58m5zOPVwS4m/7 4vnZS1fEF9KcqFbVCC9xDUAsoLVNEo4UwnLleSxifbGhmhl1/qydfk5F238ByD9H IfTi+VWNvTu9hTLyKjEt7qxrwRdJw5//4FPuor/HErfPtwJyapRc63WLuPPQE58Z 54jYY3r1T9EAeTIqfrc4vo1rfpgS3paggk3cuirwu1foIhLjsvZWw88HycJ1V5RQ vN8fcwWHNWdmK7IE2hC1U5st8Gbe45lRVULoEaYAe9wyRereseIz9UzadUJvDEyw sAHnrQhPQFED77ouSbiZfwPsgEnWAJF4i/fMTOU5EmUTRCqgjb9oPCmWKjeilUri +awlvmq7gDLu5CpWzIqiUCbp0MBCQrZJlNbrQFLX/X+5qo5X4b6JdYcLmxKTNwD+ 5pF82+f+dRNh4y5B00l/Jj2EwhroXZtSBGQf6R6m8tzN0KiUC1cEV+T67FVJfQ17 Wdqvp9rCGBelVaGWL0Uq/VcqmyniWPSpwHRY10QgVvYs8MQslp43iaR9R0DHD/cH xdpni9p1CWGwOv/+iSc= =qGx0 -----END PGP SIGNATURE-----
