Maintained by: NLnet Labs

[Unbound-users] rDNS stubs not working (unbound + nsd3)

W.C.A. Wijngaards
Mon Oct 29 10:03:59 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ville,

- From the response you can see it responds with the SOA from
22.172.in-addr.arpa; this is because you need this nodefault statement:
     local-zone: "22.172.in-addr.arpa" nodefault

(the 172 nodefault is not specific in the config you listed).

Best regards,
   Wouter


On 10/28/2012 09:58 PM, Ville Walveranta wrote:
> Continuing with my BIND to unbound+nsd3 migration I'm looking at 
> reverse resolution.  While forward resolution stubs work fine, I
> don't seem to be able to ge the reverse stubs working. Here's what
> I have currently:
> 
> I have NSD3 set up on the localhost, different interface, as the 
> authoritative server with a pretty simple config:
> 
> server: ip-address: 172.22.22.185 port: 53 ip4-only: yes
> 
> logfile: "/var/log/nsd.log" verbosity: 2
> 
> zonesdir: "/etc/nsd3/zonedata"
> 
> zone: name: "22.22.172.in-addr.arpa" zonefile:
> "_reverse.22.22.172"
> 
> zone: name: "mytestzone.lan" zonefile: "mytestzone.lan"
> 
> Now if I dig... dig @172.22.22.185 mytestzone.lan, I get:
> 
> # dig @172.22.22.185 mytestzone.lan
> 
> ---- ; <<>> DiG 9.8.1-P1 <<>> @172.22.22.185 mytestzone.lan ; (1
> server found) ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14794 ;; flags: qr
> aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> recursion requested but not available
> 
> ;; QUESTION SECTION: ;mytestzone.lan.                        IN
> A
> 
> ;; ANSWER SECTION: mytestzone.lan.         60      IN      A
> 10.0.0.2
> 
> ;; AUTHORITY SECTION: mytestzone.lan.         60      IN      NS
> ns3.externalized.net.
> 
> ;; Query time: 0 msec ;; SERVER: 172.22.22.185#53(172.22.22.185) ;;
> WHEN: Sun Oct 28 20:44:22 2012 ;; MSG SIZE  rcvd: 96 ----
> 
> That's all good. Then I do: dig @172.22.22.185 -x 172.22.22.180
> 
> ---- # dig @172.22.22.185 -x 172.22.22.180
> 
> ; <<>> DiG 9.8.1-P1 <<>> @172.22.22.185 -x 172.22.22.180 ; (1
> server found) ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58336 ;; flags: qr
> aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING:
> recursion requested but not available
> 
> ;; QUESTION SECTION: ;180.22.22.172.in-addr.arpa.    IN      PTR
> 
> ;; ANSWER SECTION: 180.22.22.172.in-addr.arpa. 60  IN      PTR
> moonpod.externalized.net.
> 
> ;; AUTHORITY SECTION: 22.22.172.in-addr.arpa. 60      IN      NS
> ns3.externalized.net.
> 
> ;; Query time: 2 msec ;; SERVER: 172.22.22.185#53(172.22.22.185) ;;
> WHEN: Sun Oct 28 20:45:48 2012 ;; MSG SIZE  rcvd: 126 ----
> 
> Still all good.
> 
> Now, from Unbound which I have configured like so:
> 
> ---- server: auto-trust-anchor-file: "/var/lib/unbound/root.key"
> 
> interface:      127.0.0.1 port:           53
> 
> directory:      "/etc/unbound" chroot:         "" username:
> "unbound" access-control: 127.0.0.1/32 allow access-control:
> 172.22.22.0/24 allow
> 
> root-hints:     "/etc/unbound/root.hints" module-config:
> "iterator"
> 
> pidfile:        "/var/run/unbound.pid" use-syslog:     yes do-ip6:
> no verbosity:      2
> 
> identity:       "" hide-version:   yes
> 
> logfile: "/var/log/unbound/unbound.log" use-syslog: no 
> log-time-ascii: yes log-queries: yes
> 
> private-domain: "externalized.net" local-zone: "172.in-addr.arpa"
> nodefault
> 
> forward-zone: name: "." forward-addr: 4.2.2.1 forward-addr:
> 4.2.2.2 forward-addr: 4.2.2.3 forward-addr: 4.2.2.4 forward-addr:
> 4.2.2.5 forward-addr: 4.2.2.6 forward-addr: 8.8.8.8 forward-addr:
> 8.8.4.4
> 
> stub-zone: name: "externalized.net" stub-addr: 172.22.22.185 
> stub-prime: "no"
> 
> stub-zone: name: "mytestzone.lan" stub-addr: 172.22.22.185 
> stub-prime: "no"
> 
> stub-zone: name: "22.22.172.in-addr.arpa" stub-addr: 172.22.22.185 
> stub-prime: "no" ----
> 
> 
> Now I try to query through Unbound:
> 
> ---- # dig @localhost ns3.externalized.net a
> 
> ; <<>> DiG 9.8.1-P1 <<>> @localhost ns3.externalized.net a ; (1
> server found) ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2860 ;; flags: qr
> rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION: ;ns3.externalized.net.          IN      A
> 
> ;; ANSWER SECTION: ns3.externalized.net.   60      IN      A
> 172.22.22.185
> 
> ;; AUTHORITY SECTION: externalized.net.       60      IN      NS
> ns3.externalized.net.
> 
> ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN:
> Sun Oct 28 20:49:57 2012 ;; MSG SIZE  rcvd: 68 ----
> 
> Forward stub is working, good... now I try the reverse stub:
> 
> ---- # dig @localhost -x 172.22.22.185
> 
> ; <<>> DiG 9.8.1-P1 <<>> @localhost -x 172.22.22.185 ; (1 server
> found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-
> opcode: QUERY, status: NXDOMAIN, id: 18961 ;; flags: qr aa rd ra;
> QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION: ;185.22.22.172.in-addr.arpa.    IN      PTR
> 
> ;; AUTHORITY SECTION: 22.172.in-addr.arpa.    10800   IN      SOA
> localhost. nobody.invalid. 1 3600 1200 604800 10800
> 
> ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN:
> Sun Oct 28 20:50:49 2012 ;; MSG SIZE  rcvd: 103 ----
> 
> No response!  It seems the AS112 blocking is in effect.  Why is
> the authority section reduced to "22.172.in-addr.arpa." when it's
> supposed to be "22.22.172.in-addr.arpa"?  Here's the reverse zone
> file:
> 
> ---- $ORIGIN 22.22.172.in-addr.arpa. $TTL 1m
> 
> @       SOA ns3.externalized.net. admin.externalized.net. ( 
> 2012102801      ; serial 3h              ; refresh 1h
> ; retry 3w              ; expire 1h )            ; minimum TTL
> 
> NS      ns3.externalized.net.
> 
> RP      admin.externalized.net. externalized.net.
> 
> 1       PTR     externalized.net. 2       PTR
> unassigned.externalized.net. 180  PTR
> moonpod.externalized.net. 185  PTR     ns3.externalized.net. ----
> 
> This appears a Unbound issue since querying NSD directly works
> fine. I've combed the web for suggestions, tried.. local-zone:
> "172.in-addr.arpa" transparent local-zone: "22.22.172.in-addr.arpa"
> nodefault etc.. but to no avail.
> 
> Also, when the local-zone clause is present for the in-addr.arpa
> zone the following error shows up in the log: "error: duplicate
> forward zone ignored".
> 
> Any ideas what might be wrong?
> 
> Thanks for any ideas!!
> 
> Ville _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQjkZ6AAoJEJ9vHC1+BF+Nb68P/A7/yi0Uw3HlmvfpFRaoyyzg
AKXXWNXOL53RrW1CooAR5heLMQ7sOXHg/natAgc5nT6Lvw0+bWs6i0kh5LQN0Qv2
FtjYGXj3mi1weSu9pMdncvk6hnJuha93fjqdyu2LUPdbFvFa/8P1NF142qaKZDpr
DFTRT44LS12RhKP0FgyxROQv2uJF7u1IYuTiNP2WXJHp4EYsCOuMZSUEe3mRXfHS
Ez+kkkrcs/NI+laa4W/NAnV1X5CyjI2nRYBnobLuR65E/BhUwGrOPe+RhgKPog3G
K5vJuJCodieoY/Nx654hUXHZ9fp7UvKUPsqPk7WojBh8JZm3GVwR8OHUXSeMSa5N
AqdHz0qBCSM3azCK4uX7ozAtWMBbMaxwdiub0zDfzv3W76ZjiVem4mjgJLfd/8dx
+k3xgJVAOmKvW2HPEsoOvrsIS1ShN3cW1zSgJmJ4LruDeH812+H0DAS3MCshgXM9
P9rip3hxGnJBRaT9sfchzw/SnjNYQOY/tW5PtODSagfMSk835H78waOUUa9vhBLF
L797e86BBiN5cNIraohRTvi/wN/Hupo3ZYOVUnPsuo2VUvJScmZHEFT/BE7a8FYE
yi9gUKwogZDhKwBbsV+wrB+E8u1Lpgv9EXUUuQEuaT7zjBiwCduwDywCSn2AVnJC
eLObMRL9dRMHsZ7wesml
=ABZj
-----END PGP SIGNATURE-----