Maintained by: NLnet Labs

[Unbound-users] Stub with NS to stub doesn't work?

J L
Thu Feb 20 11:31:30 CET 2014


Thanks!

Upgrading to that version got me past that problem - and straight into the
next one. However, the next problem was to do with the config of one of the
other DNS servers.

I appreciate your help,
-- 
Jarrod


On 19 February 2014 11:51, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi J L,
>
> 1.4.21 has a fix for stubs and NS records from the internet (Fix
> queries leaking up for stubs and forwards, if the configured
> nameservers all fail to answer.)  Can you see if that fixes your
> problems, they look sort-of similar.
>
> Best regards,
>    Wouter
>
> On 02/19/2014 11:31 AM, J L wrote:
> > Hi,
> >
> > I have an odd problem; that I can't figure out how to get around.
> >
> > Short version: If unbound decides it needs to look up a name that
> > it got as an NS record, it ignores stub-zones when figuring out
> > where to talk to.
> >
> >
> > Long version: I have, in my unbound configuration on my core office
> > resolver: stub-zone: name: "z1.example.com
> > <http://z1.example.com>" stub-addr: 192.0.2.1 stub-zone: name:
> > "z2.example.com <http://z2.example.com>" stub-addr: 192.0.2.2
> >
> >
> > If I do a lookup of "foo.z1.example.com
> > <http://foo.z1.example.com>" against 192.0.2.1; I get an NS record
> > of "dns.z2.example.com <http://dns.z2.example.com>". If I do an NS
> > lookup against unbound, I get the same thing.
> >
> > If I lookup dns.z2.example.com <http://dns.z2.example.com> against
> > 192.0.2.2, I get an A record of 192.0.2.3. If I do this lookup
> > against unbound, I get the same thing.
> >
> > If I lookup host1.z1.example.com <http://host1.z1.example.com>
> > against 192.0.2.3; I get the correct A record.
> >
> > However, if I try to do all this in one go - lookup
> > host.z1.example.com <http://host.z1.example.com> against unbound -
> > it doesn't work. What appears to happen is that unbound correctly
> > determines that it should use dns.z2.example.com
> > <http://dns.z2.example.com> as the nameserver; but when looking up
> > that name itself, it ignores the "stub-zone" for z2.example.com
> > <http://z2.example.com>, and follows the normal DNS chain - which
> > means it goes out to the Internet, finds the nameservers for
> > example.com <http://example.com>, and asks them. They, however,
> > are _external_ nameservers, and know nothing about z2.example.com
> > <http://z2.example.com> - so they say "no", and unbound then caches
> > that no.
> >
> > This doesn't always happen - as best I can figure, if the name
> > dns.z2.example.com <http://dns.z2.example.com> gets looked up by
> > something outside the unbound box first (i.e. manually) while there
> > is no cached entry, then the stub-zone will be taken into account,
> > and the response cached. Then, when unbound wants to look up
> > dns.z2.example.com <http://dns.z2.example.com> itself (because it
> > just got that NS record from 192.0.2.1) it uses the cached entry
> > and all is fine - until, of course, the record expires.
> >
> >
> >
> > Does anyone have an idea of how I can convince unbound to use the
> > stub-zone even for its own lookups?
> >
> > Unbound 1.4.19 on CentOS 6.4.
> >
> >
> > Thanks, -- Jarrod Lowe
> >
> >
> > _______________________________________________ Unbound-users
> > mailing list Unbound-users at unbound.net
> > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJTBJraAAoJEJ9vHC1+BF+NxycP/3LfomX5jxGnS/aQHb3WmAoy
> sMXGwUwmacGkwlaPYywnq5T7SVTToD3RFha2pO35ojjjlpvwMyDSKKkf1mecypIX
> 45Bj0r+LHZykogwiIVs9eTJ+EZiwufF407wJLAWeYwCvNfoEpIls8h3tW2L/4YRC
> zxsA8mk6YSg3r0ESntIBkVSYhO2iel9PYDMTdAog7eFMX+oXzUJ0xpCMCv7FSoc/
> +oTWP8Hn0JOELSmvplYQtz6h2e0yDV+L3Mp6C+isCR4Ssr+c/RNm9lcNi2EuU03l
> bDYo2Unrb8dCd2kTBchmj4qSjbqZWwLkx5IvwGSqdIHeHp1gigUlxlBtcyuJUDoW
> tuX/FOEnQEaw2oLmf7M72KVNFcffi2N58Fytit6tfj7lkUZ3UWcAtg2rGGpRBmo4
> j8IagpQsWnS9MISuPiawOtQHKMa8IjVMa17I3tBDyR/UclY1LLo2vcCGKIdrJrf+
> eUVnD4/9qFMoXFZmERuHxUdq5pBMl9ngUfL/vyc4DDnz7qPFLWYxO5oI/PAg0zW2
> KiXqbPCakfzgHqQyJUFaYjbcqLnS3BlJf3ax2ev0krZD0RijFxtu1qE3vTL1OLtD
> Bpdk/9m9WaDNpNdNlyRl8qHmFMlfxqdkq4QslzMPCXb+pbnqLvZGIPrWobjqRI01
> zRD99NLASNxKhurA4yrg
> =RbxU
> -----END PGP SIGNATURE-----
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>



-- 
Jarrod Lowe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140220/6e886db8/attachment.html>