From: Stefan Schmidt <203977+ZaphodB@users.noreply.github.com> Date: Fri, 31 May 2024 11:55:01 +0000 (+0200) Subject: move older dig +trace explanation to FAQ X-Git-Tag: rec-5.1.0-beta1~8^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ec95bc2efdcca11715db8a07db9243247023aa9;p=thirdparty%2Fpdns.git move older dig +trace explanation to FAQ --- diff --git a/pdns/recursordist/docs/appendices/FAQ.rst b/pdns/recursordist/docs/appendices/FAQ.rst index 74a2e30535..c38c0d1dfd 100644 --- a/pdns/recursordist/docs/appendices/FAQ.rst +++ b/pdns/recursordist/docs/appendices/FAQ.rst @@ -86,3 +86,7 @@ With versions older than 4.8, there is another detail: after refreshing the root For example, in the default setup the root name servers are called ``[a-m].root-servers.net``, so the :program:`Recursor` will resolve the name servers of the ``.net`` domain. This is needed to correctly determine zone cuts to be able to decide if the ``.root-servers.net`` domain is DNSSEC protected. Newer versions solve this by querying the needed information top-down. +Starting with version 5.0.0, enabling :ref:`allow-no-rd` allows for queries without the recursion desired bit to be answered from cache. +Older versions of the ``dig`` program provided by BIND do not set the RD bit causing it to sometimes fail to perform a ``+trace`` when asking a freshly restarted :program:`Recursor` despite the :ref:`allow-no-rd` option being set. +This is because there is a short while after restarting that the cache has no authoritative data on the root, so it will answer with an NODATA (NOERROR and no answer records) in that period for RD=0 queries. +For ``dig`` this has been fixed in `BIND 9.15.1 ` by setting the RD bit. \ No newline at end of file diff --git a/pdns/recursordist/settings/table.py b/pdns/recursordist/settings/table.py index 37e630ed0a..e16200c7d1 100644 --- a/pdns/recursordist/settings/table.py +++ b/pdns/recursordist/settings/table.py @@ -203,10 +203,6 @@ Like :ref:`setting-allow-notify-from`, except reading a sequence of `Subnet`_ fr 'doc' : ''' Allow ``no recursion desired (RD=0) queries`` to query cache contents. If not set (the default), these queries are answered with rcode ``Refused``. - -Note that there is a short while after restarting that the cache has no authoritative data on the root, -so it will answer with an NODATA (NOERROR and no answer records) in that period for RD=0 queries. -This affects for example older versions of dig when using its +trace option causing it to fail. ''', 'versionadded': '5.0.0' },