-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Tony, On 09/14/2009 08:48 PM, Tony Finch wrote: > We have a number of private zones on our site: a forward zone > private.cam.ac.uk, and a number of reverse zones under 172.16.0.0/12. > Should I configure these as stub zones, forward zones, or redirect zones? As stub zones. Possibly set local-zone: "16.172.in-addr.arpa" nodefault so that unbound does not provide default blocking for the zone. If you made them forward-zones, it would likely work as well, but if there are CNAMEs then you probably want unbound to process the cname chain chasing, as the other server is authoritative for these zones. A redirect would work if you want to block access to those zones, and return an answer to some 'redirect notify' page in all cases. > At the moment private.cam.ac.uk is not signed but cam.ac.uk is. Does > DNSSEC validation affect how I should configure these zones? Do I need to > use the domain-indecure option? Well, if private.cam.ac.uk does not exist in cam.ac.uk at all, Yes, you need to use domain-insecure: "private.cam.ac.uk". If cam.ac.uk has a delegation to private.cam.ac.uk then this turns into a proper unsigned delegation and it works out of the box. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqyEOAACgkQkDLqNwOhpPgHqACePsEp0MRbXnf/8QA0kuz84W24 Xw4Anj8isOaugV4WSzwsndAjpIvh5EBi =sqn5 -----END PGP SIGNATURE-----