stable/10: unbound refuses to forward some DNS queries

Peter Wemm peter at wemm.org
Sun Jun 29 21:57:07 UTC 2014 

On Sunday 29 June 2014 20:04:29 Dmitry Morozovsky wrote:
> On Sun, 29 Jun 2014, Dmitry Morozovsky wrote:
> > Thank you so much, it works like a charm.
> > 
> > I do not have special TLD for forward resolving, and for me the following
> > 
> > subset seems to be enough:
> >         #suggested by kib@
> >         domain-insecure: "168.192.in-addr.arpa."
> >         local-zone: "168.192.in-addr.arpa." transparent
> 
> ... and it turned out that even the last line is optional.
> 
> To clarify: ALL queries for my case should be forwarded.
> 
> It's on FreeBSD 10.0-STABLE #4 r267602: Wed Jun 18 11:15:36 MSK 2014

I use 'nodefault' instead of 'transparent' for these.

I'm pretty sure you do need it because unbound has the RFC1918 and other 
"fake" addresses stubbed out.  If you only did a 'reload' after changing it, 
the stubs would have been replaced with a live address.  I'd expect a full 
kill/restart to not work without it.

You need the domain-insecure for 168.192.in-addr.arpa because there is a NSEC3 
hash on 192.in-addr.arpa that has a 'proof of non existence' for the 192.168 
node underneath.

For what its worth, this is the general gist of what we do on the freebsd.org 
cluster with some use of RFC1918 addresses:

Individual machines:
server:
...
        domain-insecure: "10.in-addr.arpa"
        local-zone: "10.in-addr.arpa." nodefault
...
forward-zone:
        # Forward to the cluster caching hub
        name: .
        forward-addr: 2001:4f8:3:ffe0:4064:0:35:1
        forward-addr: 2001:4f8:3:ffe0:4064:0:35:2
        forward-addr: 149.20.53.9
        forward-addr: 149.20.53.10

And one of the corresponding cache hubs:
server:
...
        domain-insecure: "10.in-addr.arpa"
        local-zone: "10.in-addr.arpa." nodefault
...
stub-zone:
        name: "10.in-addr.arpa"
        stub-addr: 149.20.53.9 at 5301   # local authoritive-only zone server
        stub-addr: 149.20.53.10 at 5301 # local authoritive-only zone server
...

Obviously this would need to be adjusted for whatever RFC1918 addresses you're 
using locally.  But that's how we use the built-in local_unbound resolver for 
dogfood in the freebsd.org cluster.

-- 
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140629/dd70fa19/attachment.sig>

More information about the freebsd-stable mailing list