Maintained by: NLnet Labs

[Unbound-users] stub vs. forward vs. redirect

W.C.A. Wijngaards
Thu Sep 17 12:35:13 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tony,

On 09/14/2009 08:48 PM, Tony Finch wrote:
> We have a number of private zones on our site: a forward zone
> private.cam.ac.uk, and a number of reverse zones under 172.16.0.0/12.
> Should I configure these as stub zones, forward zones, or redirect zones?

As stub zones.  Possibly set
local-zone: "16.172.in-addr.arpa" nodefault
so that unbound does not provide default blocking for the zone.

If you made them forward-zones, it would likely work as well, but if
there are CNAMEs then you probably want unbound to process the cname
chain chasing, as the other server is authoritative for these zones.

A redirect would work if you want to block access to those zones, and
return an answer to some 'redirect notify' page in all cases.

> At the moment private.cam.ac.uk is not signed but cam.ac.uk is. Does
> DNSSEC validation affect how I should configure these zones? Do I need to
> use the domain-indecure option?

Well, if private.cam.ac.uk does not exist in cam.ac.uk at all, Yes,
you need to use domain-insecure: "private.cam.ac.uk".

If cam.ac.uk has a delegation to private.cam.ac.uk then this turns
into a proper unsigned delegation and it works out of the box.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkqyEOAACgkQkDLqNwOhpPgHqACePsEp0MRbXnf/8QA0kuz84W24
Xw4Anj8isOaugV4WSzwsndAjpIvh5EBi
=sqn5
-----END PGP SIGNATURE-----