Maintained by: NLnet Labs

[Unbound-users] private-address behaviour

W.C.A. Wijngaards
Thu Jan 27 13:26:16 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jakub,

On 01/27/2011 11:57 AM, Jakub Heichman wrote:
> Greetings,
> 
> After configuring private-address (and private-domain) entries I was
> hoping that unbound would simply strip the private IP addresses from
> responses.
> However in my testing (unbound 1.4.8 and previous versions) I'm seeing
> that the queries will SERVFAIL, also for domains whose NS records point
> to a name that resolves to a private address, for example:

Yes this is caused by line 648 of iterator/iter_scrub.c.  This is
extra-paranoid, since it can also just strip off the offending record.

> I'm wondering if this is expected behaviour? Should I be seeing SERVFAIL
> (note long query time) or NOERROR/NODATA with private data stripped?

If you comment out that line you get the behaviour with NOERROR/NODATA
with private data stripped.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1BZGgACgkQkDLqNwOhpPiGLwCeJ4Cv3je+RXR3Ordsmsanq6zw
jDMAnRwlwzcBC6zvdebb5+PgN0TEHNzm
=DSZd
-----END PGP SIGNATURE-----