Maintained by: NLnet Labs

[Unbound-users] rDNS for fd::/8

Mike.
Wed Mar 27 18:29:12 CET 2013


On 3/27/2013 at 12:14 PM Mike. wrote:

|My unbound config file is:
|
|-------------------------------------
|server:
|	verbosity: 1
|
|	statistics-interval: 84600
|	statistics-cumulative: yes
|	extended-statistics: yes
|
|	interface:	10.20.1.1
|	interface:	127.0.0.1
|	interface:	fdcf:b715:2f4d:1::1
|	interface:	::1
|
|	access-control: 0.0.0.0/0		refuse
|	access-control:	10.0.0.0/8		allow
|	access-control: 127.0.0.1		allow
|
|	access-control: ::0/0			refuse
|	access-control: fdcf:b715:2f4d:1::/64	allow
|	access-control: fe80::/64		allow
|	access-control: ::1			allow
|	access-control:	::ffff:127.0.0.1	allow
|	access-control: 2001:xxxx:xxxx:1::/64	allow
|
|	cache-min-ttl: 	0
|
|	root-hints: "/var/unbound/etc/named.cache"
|
|#	auto-trust-anchor-file:	"/var/unbound/etc/root.key"
|
|	domain-insecure:	"241acl.lan"
|
|	local-zone: "10.in-addr.arpa." nodefault
|	local-zone: "d.f.ip6.arpa." nodefault
|
|
|stub-zone:
|	name: "241acl.lan"
|	stub-addr: fdcf:b715:2f4d:3::1
|
|stub-zone:
|	name: "10.in-addr.arpa"
|	stub-addr: fdcf:b715:2f4d:3::1
|
|stub-zone:
|	name: "d.f.ip6.arpa"
|	stub-addr: fdcf:b715:2f4d:3::1
|
|
|
|remote-control:
|	control-enable: 	yes
|	control-interface:	::1
|
|-----------------------------------------
|
|and I am running unbound 1.4.17 on OpenBSD 5.2.
|
|
|With the config file as above, all forward and reverse DNS lookups
work
|fine.   However, when I uncomment the auto-trust-anchor-file, then the
|rDNS look ups for fd::/8 addresses stop working.   Increasing log
|verbosity, it looks like unbound is traipsing to the root servers
|looking for a DNSSEC key and not finding one.  Then the rDNS request
is
|rejected, and I cannot figure out why....
|
|I know I am missing something obvious, but I just cannot see it ....
 =============


If I add:

	domain-insecure:        "d.f.ip6.arpa"


then rDNS works, even with the auto-trust-anchor-file enabled.


So then my question becomes --- in order for rDNS to work, why do I
need domain-insecure for d.f.ip6.arpa and not for 10.in-addr.arpa?