Maintained by: NLnet Labs

[Unbound-users] failure to create a stub-zone for AS112 zone

Jeremie Le Hen
Mon Mar 11 17:34:12 CET 2013


Hi!

> On 03/10/2013 08:10 PM, Leen Besselink wrote:
> > On Sun, Mar 10, 2013 at 02:15:10PM +0100, Jeremie Le Hen wrote:
> > 
> > Maybe I'm mistaken, but I believe you might also need 1 of these
> > ?:
> > 
> > private-address: <IP address or subnet> Give IPv4 of IPv6 addresses
> > or  classless  subnets.  These  are addresses  on  your  private
> > network, and are not allowed to be returned for public  internet
> > names.   Any  occurence  of  such addresses are removed from DNS
> > answers. Additionally, the DNSSEC validator may mark the  answers
> > bogus.  This  protects  against so-called  DNS  Rebinding, where a
> > user browser is turned into a network proxy, allowing remote access
> > through  the  browser  to other  parts of your private network.
> > Some names can be allowed to contain your private addresses, by
> > default all the local-data that  you  configured  is  allowed to,
> > and you can specify addi- tional names using private-domain.   No
> > private  addresses  are enabled  by default.  We consider to enable
> > this for the RFC1918 private IP address space by  default  in
> > later  releases.  That would  enable  private  addresses  for
> > 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 fd00::/8 and
> > fe80::/10, since  the RFC  standards  say these addresses should
> > not be visible on the public internet.  Turning on 127.0.0.0/8
> > would hinder many spam- blocklists as they use that.
> > 
> > private-domain: <domain name> Allow  this  domain,  and  all its
> > subdomains to contain private addresses.  Give multiple times to
> > allow multiple  domain  names to contain private addresses. Default
> > is none.

If I understand correctly, I should not use private-address as they will
remove any occurence of IP addresses fom my local network; also, it
seems that private-domain only apply to forward zones as reverse zones
do not return IP address, isnt'it?

I tried both (independently) and it didn't work unfortunately.

On Mon, Mar 11, 2013 at 09:05:41AM +0100, W.C.A. Wijngaards wrote:
> 
> Change this line, I think,
>  	    local-zone: "1.168.192.in-addr.arpa." nodefault
> into this
>  	    local-zone: "168.192.in-addr.arpa." nodefault

Ok, indeed that works.  Is it the expected behaviour, and if yes what is
the rationale of this?  I think we should be able to divide further
RFC1918 reverse zones for convenience, unless there is a strong reason I
don't understand to not do that; I mean I have the impression that
unbound somewhat enforces the pre-CIDR behavior of these private
networks.

Cheers,
-- 
Jeremie Le Hen

Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.