[Unbound-users] rDNS for fd::/8

Joe Abley jabley at hopcount.ca
Wed Mar 27 18:29:07 UTC 2013


On 2013-03-27, at 13:29, Mike. <the.lists at mgm51.com> wrote:

> So then my question becomes --- in order for rDNS to work, why do I
> need domain-insecure for d.f.ip6.arpa and not for 10.in-addr.arpa?

The delegation to 10.in-addr.arpa is insecure:

[krill:~]% dig @a.in-addr-servers.arpa 10.in-addr.arpa soa +dnssec +norec

; <<>> DiG 9.8.3-P1 <<>> @a.in-addr-servers.arpa 10.in-addr.arpa soa +dnssec +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37726
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;10.in-addr.arpa.		IN	SOA

;; AUTHORITY SECTION:
10.in-addr.arpa.	86400	IN	NS	blackhole-1.iana.org.
10.in-addr.arpa.	86400	IN	NS	blackhole-2.iana.org.
10.in-addr.arpa.	3600	IN	NSEC	100.in-addr.arpa. NS RRSIG NSEC
10.in-addr.arpa.	3600	IN	RRSIG	NSEC 8 3 3600 20130403190610 20130327152523 30304 in-addr.arpa. jEbmL7O2Lsot3L8DZwEgZqik7Xpdh1uoVyAykVrxiP9TqCEN013oDiPn WzEaGccs3sPv3nrZpYJEfe9107N3cjgmfGNUy08g+l1FZQbQQC5dg5p/ KtFuOKp4AQZ0o/RS5+XXuWxxLHXMJPwQRi0HrXRJEHXLmvJ94YD2XvHb OlU=

;; Query time: 94 msec
;; SERVER: 2001:500:13::73#53(2001:500:13::73)
;; WHEN: Wed Mar 27 14:26:59 2013
;; MSG SIZE  rcvd: 314

[krill:~]% 

There *is* no delegation for d.f.ip6.arpa:

[krill:~]% dig @a.ip6-servers.arpa d.f.ip6.arpa soa +dnssec +norec

; <<>> DiG 9.8.3-P1 <<>> @a.ip6-servers.arpa d.f.ip6.arpa soa +dnssec +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26488
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;d.f.ip6.arpa.			IN	SOA

;; AUTHORITY SECTION:
ip6.arpa.		0	IN	SOA	b.ip6-servers.arpa. hostmaster.icann.org. 2011027460 1800 900 604800 3600
ip6.arpa.		0	IN	RRSIG	SOA 8 2 3600 20130403195609 20130327152714 17280 ip6.arpa. GfYP2Q+e3c+MDWcS9U2ZQYpUexHO9yHqHIT0S530UG2f2CHGfyGEyG+k VsGfV+Naq5uDLVcVeG6Nudajuj8GSOW3mKJQyXavyOBbA4lP5cZyiZBg UVm434fYw5gwA+IUrq+qxpaA0VFfFJ1Xv2ZeF4fK2kEyVD4KGjB7UPMI 09c=
ip6.arpa.		3600	IN	NSEC	2.0.1.0.0.2.ip6.arpa. NS SOA RRSIG NSEC DNSKEY
ip6.arpa.		3600	IN	RRSIG	NSEC 8 2 3600 20130403182935 20130327152714 17280 ip6.arpa. HvZL9ih3EiUZDEGMbMoKsDPYlm1sFqnZFuliiYXNA1KsBASzQ/IoKksm bc1XBDJua9zMNcMSbyzJLEocJ+cpvhxQ8Qof5w2ECoxNcNAspJsiqiwd 32v5YIojPPWIEvz9BnsGBvM0nccR+Gm6AqMpes+WvuJdwRaIIk9Cz+2v icY=
0.c.2.ip6.arpa.		3600	IN	NSEC	ip6.arpa. NS DS RRSIG NSEC
0.c.2.ip6.arpa.		3600	IN	RRSIG	NSEC 8 5 3600 20130404010822 20130327152714 17280 ip6.arpa. enGDPcIFsYEx9X+xX1kFdeaSqQwBdqEQn+4b2PVKGmIdfGVXSjuNp7AH hS5mNUDzCorN5Br6Jm7K9l6uOT08agZvAPQViN6e1r2S+VH5nxWvmg+0 nSUgYIZeKfP8xBJYoHwPahyvP/zvUvw4KpUg28js/gSFGGjqTcHZLyVB ecQ=

;; Query time: 96 msec
;; SERVER: 2001:500:13::73#53(2001:500:13::73)
;; WHEN: Wed Mar 27 14:27:58 2013
;; MSG SIZE  rcvd: 692

[krill:~]% 

Your local data for d.f.ip6.arpa is conflicting with the signed non-existence of those names in the ip6.arpa zone.

This does not happen with 10.in-addr.arpa because your validator knows that zone is insecure anyway.


Joe



More information about the Unbound-users mailing list