Joe Abley (jabley) writes:
The action allow_snoop gives nonrecursive access too. This give both recursive and non recursive access. The name allow_snoop refers to cache snooping, a technique to use nonrecursive queries to examine the cache contents (for malicious acts). However, nonrecursive queries can also be a valuable debugging tool (when you want to examine the cache contents). In that case use allow_snoop for your administration host.
which seems like it's intended to be used to expand the possible access to your server without opening it fully to the world ("give full access to my users, but allow non-users also to inspect the cache with queries that have RD=0 for diagnostic purposes"). I think the "malicious acts" above does not mean opening the cache to abuse, but rather giving people outside your user pool the opportunity to see whether your particular cache has been poisoned with respect to their names.
I didn't know about allow_snoop until now, but I've often wondered why unbound didn't allow querying the cache with RD=0, which I've often used for debugging transient resolution issues. Now I do, but I find it odd that the motivation would be to let third party snoop one's cache. If anything, I'd just replace allow with allow_snoop for existing clients. Anything else sounds dangerous. Phil