unbound fetches DNS record from nsd but does not return it to client
wouter at nlnetlabs.nl
Tue Aug 4 09:14:18 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 03/08/15 18:50, Patrik Lundin wrote:
> On Mon, Aug 03, 2015 at 12:42:00PM +0200, W.C.A. Wijngaards via
> Unbound-users wrote:
>> I've fixed up the manual page and the example config file, and
>> they now discuss configuring domain-insecure or local-zone
>> nodefault for locally served zones.
> Thank you for making the configuration information more explicit.
> I believe what I have been missing is a hint at the "nodefault"
> description that it only works for the exact zone names:
> === nodefault Used to turn off default contents for AS112 zones.
> The other types also turn off default contents for the zone. The
> 'nodefault' option has no other effect than turning off default
> contents for the given zone. ===
> Reading this it is not clear to me that "nodefault" only works for
> the exact zones, and that I am supposed to use "transparent" if I
> configure 1.168.192.in-addr.arpa for example.
Added text to address that. Thanks for pointing that out and the
'transparent' workaround for it.
> Maby this is just me :).
> Out of curiosity: what is the reason unbound does not work for the
> original poster if domain-insecure is missing? The domain was
> "data1.datanet.home", and since there is no DS record for "home" at
> ".", it seems to me this would mean no further DNSSEC processing is
> necessary. What am I missing?
There is an NXDOMAIN at "home." at ".". DNSSEC does not allow data
under an NXDOMAIN. If there would have been an insecure delegation
(NS records and no DS record), then it would have worked as you said.
>> The configuration is like this because the access-control filter
>> happens first (it is by IP address netblock). Then the
>> local-zone filter is applied (it is by domain name). Then the
>> DNS cache is used, the items are fed in there with the stub-zone
>> clause. The cache entries are also 'filtered' by DNSSEC
>> validation and private-address removal. And all of these
>> components are separately configurable...
> Sounds reasonable, thanks for the information :).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Unbound-users