Hi Petr, It is enabled by default, and implemented in Unbound 1.5.4. These are the changelog entries from the download page:
Unbound 1.5.6 - ANY responses include DNAME records if present, as per Evan Hunt's remark in dnsop. Unbound 1.5.4 (9 july 2015) - Synthesize ANY responses from cache. Does not search exhaustively, but MX,A,AAAA,SOA,NS also CNAME. Best regards, Wouter On 25/08/17 12:57, Petr Špaček via Unbound-users wrote: > On 25.8.2017 11:47, W.C.A. Wijngaards via Unbound-users wrote: >> Hi Petr, >> >> Unbound already implements that draft. Method 4.1, select one (actually >> a couple) RRsets. It picks them from cache if they are available there >> (eg. A record or SOA record) and if no records are in cache, it'll make >> a query. > > Oh, nice! Is it released already? > > I'm not able to find string "refuse-any" either in > http://unbound.nlnetlabs.nl/svn/trunk/doc/Changelog > or in SVN log. > > > Curious question: How are these RRsets selected? > For example domain cpsc.gov. which is often used for attacks using our > resolver can produce rather large answers for QTYPE, so returning more > than one QTYPE might not cut the size down as we would wish. > > Petr Špaček @ CZ.NIC > > >> >> There may be tricks with local-zones or local-data or python scripting >> or views. >> >> Best regards, Wouter >> >> On 25/08/17 11:42, Petr Špaček via Unbound-users wrote: >>> Hello, >>> >>> is it possible to use some trick to configure Unbound to refuse ANY queries? >>> >>> It would be helpful for (intentionally) open recursors before >>> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any is implemented. >>> >>> Thank you for your time.
signature.asc
Description: OpenPGP digital signature
