Maintained by: NLnet Labs

[Unbound-users] A few ideas and questions

Teran McKinney
Tue Sep 9 00:09:19 CEST 2008


Hi,

After using Unbound for about a month and a half now, I've conjured up
a few ideas I would like to share. I have also come across a few
things that may be bugs, but I'm not sure.

While Unbound has been working perfectly under normal use (with
DNSSEC, too), I have had a few problems with a seperate Unbound
resolver forwarding requests to my primary resolver and a nameserver
for a private TLD. I originally did this with a root.hints file (I
discovered that Unbound keeps the default root servers unless they are
explicitly overwritten by root.hints, and found this to be a bit
strange), but it would often stop resolving to the primary resolver
for "." (which it should use for all zones except ".el"). I also tried
with a stub zone for ".el" and forwarding ".", however stub zones do
not seem to work when a forwarding zone is set. Finally, I settled on
using forwarding for both zones, but this seems to stop resolving both
"." and ".el" quite often. Before, I had positioned the ".el"
forwarding zone above the "." zone in the config file, but have since
(this morning), reordered them to see if that was the source of the
problem. It has not stopped resolving yet, but I will have to wait and
see. Here is the current configuration:
<ftp://icadyptes.go-beyond.org/other/unbound.conf> (fd11:2358:1321::1
points to NSD running on the same server).

I have a couple suggestions for Unbound, but they are quite minor in
general and Unbound is already an amazing caching resolver. The
release notes for 1.0.2
<http://www.unbound.net/documentation/patch_announce102.html> are very
comprehensive, and much like a full-blown article on DNS security. It
states that Unbound even randomly alternates between resolving over
IPv4 and IPv6 when possible for more security. While this behavior is
very impressive and helps increase security, I think that an option to
prefer IPv4 or IPv6 would be nice to have. Opportunistic encryption
through IPSEC is easier to do on IPv6, and could offer additional
protection underneath the application layer. For that reason, and
because I would rather see more of my packets go out over IPv6, I
would personally like to be able to set my resolver to always prefer
IPv6, even at the slight cost of security. Of course, this is quite
minor in comparsion to the rest of Unbound and the needs of a caching
resolver. I would like to submit a patch for it, but have neither the
C skills (yet), or time.

If my above experience with stub zones not working with forwarding
zones was not just user error, I think it would be nice to be able to
use stub zones and forwarding zones in the same configuration. By the
way, how does Unbound treat stub zones differently than forwarding
zones? Also, for some reason, requests forwarded to my main Unbound
resolver answer requests with bad DNSSEC signatures (IE: one of the
purposefully invalid subdomains at dnssec-tools.org), even though such
requests directly through that server give no results (since the
resolver has been configured with that domain's DNSSEC key). Perhaps I
should be using stub zones instead? I don't understand why it would
not give an identical answer to the server it forwards requests to,
but am not a master of the DNS protocol either.

Let me know if you need any more information or help testing patches.

Thanks,
Teran (sega01)

PS: Does NLnet Labs have an IRC channel?