[Unbound-users] rDNS stubs not working (unbound + nsd3)
Ville Walveranta
walveranta at gmail.com
Sun Oct 28 20:58:48 UTC 2012
Continuing with my BIND to unbound+nsd3 migration I'm looking at
reverse resolution. While forward resolution stubs work fine, I don't
seem to be able to ge the reverse stubs working. Here's what I have
currently:
I have NSD3 set up on the localhost, different interface, as the
authoritative server with a pretty simple config:
server:
ip-address: 172.22.22.185
port: 53
ip4-only: yes
logfile: "/var/log/nsd.log"
verbosity: 2
zonesdir: "/etc/nsd3/zonedata"
zone:
name: "22.22.172.in-addr.arpa"
zonefile: "_reverse.22.22.172"
zone:
name: "mytestzone.lan"
zonefile: "mytestzone.lan"
Now if I dig... dig @172.22.22.185 mytestzone.lan, I get:
# dig @172.22.22.185 mytestzone.lan
----
; <<>> DiG 9.8.1-P1 <<>> @172.22.22.185 mytestzone.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14794
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mytestzone.lan. IN A
;; ANSWER SECTION:
mytestzone.lan. 60 IN A 10.0.0.2
;; AUTHORITY SECTION:
mytestzone.lan. 60 IN NS ns3.externalized.net.
;; Query time: 0 msec
;; SERVER: 172.22.22.185#53(172.22.22.185)
;; WHEN: Sun Oct 28 20:44:22 2012
;; MSG SIZE rcvd: 96
----
That's all good. Then I do: dig @172.22.22.185 -x 172.22.22.180
----
# dig @172.22.22.185 -x 172.22.22.180
; <<>> DiG 9.8.1-P1 <<>> @172.22.22.185 -x 172.22.22.180
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58336
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;180.22.22.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
180.22.22.172.in-addr.arpa. 60 IN PTR moonpod.externalized.net.
;; AUTHORITY SECTION:
22.22.172.in-addr.arpa. 60 IN NS ns3.externalized.net.
;; Query time: 2 msec
;; SERVER: 172.22.22.185#53(172.22.22.185)
;; WHEN: Sun Oct 28 20:45:48 2012
;; MSG SIZE rcvd: 126
----
Still all good.
Now, from Unbound which I have configured like so:
----
server:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
interface: 127.0.0.1
port: 53
directory: "/etc/unbound"
chroot: ""
username: "unbound"
access-control: 127.0.0.1/32 allow
access-control: 172.22.22.0/24 allow
root-hints: "/etc/unbound/root.hints"
module-config: "iterator"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
do-ip6: no
verbosity: 2
identity: ""
hide-version: yes
logfile: "/var/log/unbound/unbound.log"
use-syslog: no
log-time-ascii: yes
log-queries: yes
private-domain: "externalized.net"
local-zone: "172.in-addr.arpa" nodefault
forward-zone:
name: "."
forward-addr: 4.2.2.1
forward-addr: 4.2.2.2
forward-addr: 4.2.2.3
forward-addr: 4.2.2.4
forward-addr: 4.2.2.5
forward-addr: 4.2.2.6
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
stub-zone:
name: "externalized.net"
stub-addr: 172.22.22.185
stub-prime: "no"
stub-zone:
name: "mytestzone.lan"
stub-addr: 172.22.22.185
stub-prime: "no"
stub-zone:
name: "22.22.172.in-addr.arpa"
stub-addr: 172.22.22.185
stub-prime: "no"
----
Now I try to query through Unbound:
----
# dig @localhost ns3.externalized.net a
; <<>> DiG 9.8.1-P1 <<>> @localhost ns3.externalized.net a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2860
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns3.externalized.net. IN A
;; ANSWER SECTION:
ns3.externalized.net. 60 IN A 172.22.22.185
;; AUTHORITY SECTION:
externalized.net. 60 IN NS ns3.externalized.net.
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 28 20:49:57 2012
;; MSG SIZE rcvd: 68
----
Forward stub is working, good... now I try the reverse stub:
----
# dig @localhost -x 172.22.22.185
; <<>> DiG 9.8.1-P1 <<>> @localhost -x 172.22.22.185
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18961
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;185.22.22.172.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
22.172.in-addr.arpa. 10800 IN SOA localhost.
nobody.invalid. 1 3600 1200 604800 10800
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 28 20:50:49 2012
;; MSG SIZE rcvd: 103
----
No response! It seems the AS112 blocking is in effect. Why is the
authority section reduced to "22.172.in-addr.arpa." when it's supposed
to be "22.22.172.in-addr.arpa"? Here's the reverse zone file:
----
$ORIGIN 22.22.172.in-addr.arpa.
$TTL 1m
@ SOA ns3.externalized.net. admin.externalized.net. (
2012102801 ; serial
3h ; refresh
1h ; retry
3w ; expire
1h ) ; minimum TTL
NS ns3.externalized.net.
RP admin.externalized.net. externalized.net.
1 PTR externalized.net.
2 PTR unassigned.externalized.net.
180 PTR moonpod.externalized.net.
185 PTR ns3.externalized.net.
----
This appears a Unbound issue since querying NSD directly works fine.
I've combed the web for suggestions, tried..
local-zone: "172.in-addr.arpa" transparent
local-zone: "22.22.172.in-addr.arpa" nodefault
etc.. but to no avail.
Also, when the local-zone clause is present for the in-addr.arpa zone
the following error shows up in the log: "error: duplicate forward
zone ignored".
Any ideas what might be wrong?
Thanks for any ideas!!
Ville
More information about the Unbound-users
mailing list