stable/10: unbound refuses to forward some DNS queries
Dmitry Morozovsky
marck at rinet.ru
Mon Jun 30 12:43:15 UTC 2014
On Sun, 29 Jun 2014, Peter Wemm wrote:
> > > subset seems to be enough:
> > > #suggested by kib@
> > > domain-insecure: "168.192.in-addr.arpa."
> > > local-zone: "168.192.in-addr.arpa." transparent
> >
> > ... and it turned out that even the last line is optional.
> >
> > To clarify: ALL queries for my case should be forwarded.
> >
> > It's on FreeBSD 10.0-STABLE #4 r267602: Wed Jun 18 11:15:36 MSK 2014
>
> I use 'nodefault' instead of 'transparent' for these.
>
> I'm pretty sure you do need it because unbound has the RFC1918 and other
> "fake" addresses stubbed out. If you only did a 'reload' after changing it,
> the stubs would have been replaced with a live address. I'd expect a full
> kill/restart to not work without it.
Yes you're absolutely right.
> You need the domain-insecure for 168.192.in-addr.arpa because there is a NSEC3
> hash on 192.in-addr.arpa that has a 'proof of non existence' for the 192.168
> node underneath.
maybe then we could improve the logic in local-unbound-setup.sh to detect
RFC1918 addresses active on interfaces up and generate unbound.conf
accordingly?
--
Sincerely,
D.Marck [DM5020, MCK-RIPE, DM3-RIPN]
[ FreeBSD committer: marck at FreeBSD.org ]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck at rinet.ru ***
------------------------------------------------------------------------
More information about the freebsd-stable
mailing list