unbound not accepting a stub or forward pointing to a loopback interface.

Måns Nilsson mansaxel at besserwisser.org
Fri May 20 23:13:40 UTC 2016


Greetings, 

I've got a resolve server setup, using OpenBSD, unbound, and nsd. (hence the crosspost)

The setup is as follows; 

unbound is listening on a loopback interface, lo1, using an address that
is anycast, let's call it 192.0.2.53/32. This address is configured as
resolver in clients. This works.

However, this particular machine is slated to go walkabout in a travel
kit to a place where it might lose its connection. We still want it to
work and keep on serving names, since some resources will be local.

Therefore, we've got a nsd instance running on the same host. The nsd is
slaving a number of the important zones we need off of the normal servers,
and we intend to use stub/forward in unbound to prefer this instance --
a lot of firewalling means we can't freely recurse from the root anyway,
so such a setup is required regardless. We're forwarding to a pair of
DMZ resolver hosts for external names, and to internal name servers for
our own stuff.

I initially tried to make nsd listen on 127.0.0.53 using an extra
loopback interface (in contrast to a statement by a PFY working at a
Swedish ISP back in the dotcom bubble days, we feel that we can afford
loopback interfaces... True story.) and it works. Half-way. I can dig
@127.0.0.53 and get excellent answers back. But unbound refuses to use 
the address, and returns SERVFAIL.  As soon as I make nsd listen on a
physical interface on the host and change the unbound config accordingly
so that it points to that address for forwarding/stub address, things
start working.

Is this an issue in unbound or OpenBSD (5.9)? 

Bonus question: Forward or Stub? I never really got through to understand
the differences ;-)

Thanks for any pointers in this. 
-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
We have DIFFERENT amounts of HAIR --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20160521/d0134536/attachment.bin>


More information about the Unbound-users mailing list