Maintained by: NLnet Labs

unbound fetches DNS record from nsd but does not return it to client

Patrik Lundin
Sat Aug 1 10:33:28 CEST 2015


On Fri, Jul 31, 2015 at 10:36:34PM -0400, Sonic via Unbound-users wrote:
> I doubt that
>        local-zone: "1.168.192.in-addr.arpa" nodefault
> is necessary since you're defining it as a stub-zone.
> 

This is actually necessary. I just tested on my firewall at home, and if
I remove "local-zone: "168.192.in-addr.arpa." nodefault" I will get the unbound
default NXDOMAIN even if I still have my stub-zone declaration:
===
stub-zone:
        name: "1.168.192.in-addr.arpa"
        stub-addr: 127.0.0.1
===

However, the configuration is still wrong since "nodefault" only works on the
specific RFC1918 boundaries, and not anything below. If I change this:
---
local-zone: "168.192.in-addr.arpa." nodefault
---
... to this:
---
local-zone: "1.168.192.in-addr.arpa." nodefault
---

I again get the unbound default NXDOMAIN even if it looks like it matches what
I want better. As you have pointed out to me on openbsd-misc in the
past, the correct configuration to use in the latter case is this:
---
local-zone: "1.168.192.in-addr.arpa." transparent
---

This is only mentioned in passing in the man page for unbound.conf and I had
missed it completely before you pointed it out to me here:
http://marc.info/?l=openbsd-misc&m=140647222022445&w=2
This is probably my biggest pet peeve in the unbound configuration :).

This of course does not relate to the main question in the thread, but I am
pretty sure reverse lookups does not currently work either for the above
reasons.

-- 
Patrik Lundin