Maintained by: NLnet Labs

[Unbound-users] Problem resolving private domains

lst_hoe02 at kwsoft.de
Mon Oct 25 20:19:00 CEST 2010


Zitat von "W.C.A. Wijngaards" <wouter at NLnetLabs.nl>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Andreas,
>
> On 10/25/2010 04:37 PM, lst_hoe02 at kwsoft.de wrote:
>> Zitat von lst_hoe02 at kwsoft.de:
>>> Sorry, forgot the first question. The "private-address:" is not set at
>>> all, so Unbound should not stripe anything i guess?
>>
>> May it be related to the fact that the .cz TLD is DNSSEC signed and the
>> .de not? Both subdomains don't use DNSSEC until now and have no trust
>> chain but that's the only difference i came up with...
>
> Yes if your own domain is not signed, then you must give:
> 	domain-insecure: "domain2.cz"
>
> So that unbound understands that there is no DS record published in .cz
> for domain2.cz.

Okay, with "domain-insecure: domain2.cz" it works. But it strikes me  
odd why the internal.domain2.cz is different from Unbound point of  
view then any other .cz domain? After all Unbound does forward all  
queries anyway to the upstream Bind. I guess it is best to list all  
private domains also as insecure domain in case the TLDs will be  
signed some day.

Many Thanks

Andreas