Re: [DNSOP] Unexpected REFUSED from BIND when using example config from RFC7706

[Tony Finch <dot@dotat.at>]

Bjørn Mork <bjorn@mork.no> wrote:
>
> Recently I noticed a side effect of this configuration which I consider
> unwanted and unexpected: It changes how BIND replies to requests without
> the RD bit set. BIND will normally answer such requests with a "best
> possible redirection", using any matching NS set it has in its cache.
> Which often will be the root NS.  But using the RFC7706 example config,
> BIND will REFUSE all requests without RD set.

I agree this behaviour is unhelpful and weird. It seems to come from the
following bit of the source, though the comment doesn't help very much to
explain the whys or wherefores.
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/query.c;h=0cfdf9288fb16a8f991e7a31f3248118add691d5;hb=HEAD#l1040

	/*
	 * Non recursive query to a static-stub zone is prohibited; its
	 * zone content is not public data, but a part of local configuration
	 * and should not be disclosed.
	 */
	if (dns_zone_gettype(zone) == dns_zone_staticstub &&
	    !RECURSIONOK(client)) {
		return (DNS_R_REFUSED);
	}

You might be able to work around the problem by adding a
match-recursion-only option to the recursive view, and adding a
non-recursive view that has allow-query-cache, and use attach-cache
so all views share the same cache. I have not tried this :-)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire, South Utsire, Northeast Forties: Westerly 5 to 7,
occasionally gale 8 at first in Viking and South Utsire, veering northwesterly
5 or 6. Rough, becoming moderate later. Occasional drizzle, fog patches
developing. Moderate, occasionally very poor.