On Thu, May 23, 2013 at 03:21:13PM -0700, Bright Star wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hello, Unbound Mailing List users & experts, > > Please check this below configuration, and let me know, IF this is > fit and CORRECTLY CONFIGURED to work as a complete Validating > DNS-Server / DNS-Resolver / DNS-Client for a Windows (7) OS based > computer (which has 2GB RAM, 1 CPU Core), where it is currently > installed and will run, and it will also have to serve, as a > DNS-Server, for other computers and VMs (with different OSes) in > local LAN. > > (Amount of free RAM memory size is large, so not a factor). > > Windows DNS Client service is set onto "Manual Startup" mode, so it > is not running, and, local network adapter/interface is configured > to use 127.0.0.1 as it's DNS-Server, in this (Win7) computer. > > And LAN network adapter/interface of this (Win7) computer is also > using fixed/static IP address 192.168.0.10. > > And other computer's in LAN, VMs are configured to use 192.168.0.10 > as their's DNS-Server. > > Most websites/domains/zones are not yet signed with DNSSEC. I want > this DNS-Server, still be able to send DNS query results for such > unsigned websites to its users/clients. (DNS query answer will not > have "AD" flag). > > I do NOT want this DNS-Server to completely block (or stop sending) > DNS query results for ANY sites/zones which are not yet DNSSEC signed. > > Firefox will have DNSSEC Validation based addons which will be > configured to use this DNS-Server. Firefox addons will display > colored icon or message, when a website is visited, and icon will > indicate if a website is signed or secured with DNSSEC yet or not. > (DNS query answer will have "AD" flag and "NOERROR" status for > DNSSEC signed sites/zones). > > There are other software which we are using, they do not have > built-in support for doing any DNSSEC based query and cannot > understand DNSSEC based answer, those software still need to be able > to function (that is: sending regular DNS query, and receiving > regular response via this DNS-Server). > > So IF CORRECTION is NEEDED to be done on this config, please provide > correct + practical + real config line that can be used, please do > not give examples, or confusing comments/response. I'm looking for > practical configuration that will serve my purpose and work right > now. PLEASE describe ACCURATELY for what reason why a specific real > config line is better or should be used what you are suggesting, and > PLEASE describe what else need to be changed, exactly. > > Please do not assume, i will do or i'm suppose to do something > automatically, so pls describe & explain. > > WHEN YOU ARE REPLYING, PLEASE MAKE SURE TO > PLACE ONLY ONE/BELOW EMAIL ADDRESS IN THE > "TO:" FIELD/Text-Box: > unbound-users at unbound.net > > Please do not send any email directly to me, Thanks. > > PLEASE DO NOT SEND ANY EMAIL DIRECTLY TO ME, THANKS. > > Thanks (again) in advance, > - -- Bright Star (Bry8Star). > <SNIP> Only one thing stood out to me as an obvious error. access-control: 192.168.0.10 allow As you said, other computers in your LAN are supposed to use this DNS resolver. The access-control statement should be as follows: access-control: 192.168.0.0/24 allow Assuming /24 as your LAN subnet mask. -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on.