Date: Sun, 29 Jun 2014 14:56:58 -0700 From: Peter Wemm <peter@wemm.org> To: freebsd-stable@freebsd.org Cc: Konstantin Belousov <kostikbel@gmail.com>, Dmitry Morozovsky <marck@rinet.ru> Subject: Re: stable/10: unbound refuses to forward some DNS queries Message-ID: <4052053.k3ny9DzFll@overcee.wemm.org> In-Reply-To: <alpine.BSF.2.00.1406292002370.36231@woozle.rinet.ru> References: <alpine.BSF.2.00.1406291514140.36231@woozle.rinet.ru> <alpine.BSF.2.00.1406291933560.36231@woozle.rinet.ru> <alpine.BSF.2.00.1406292002370.36231@woozle.rinet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart13541158.MGelVY0z55 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Sunday 29 June 2014 20:04:29 Dmitry Morozovsky wrote: > On Sun, 29 Jun 2014, Dmitry Morozovsky wrote: > > Thank you so much, it works like a charm. > >=20 > > I do not have special TLD for forward resolving, and for me the fol= lowing > >=20 > > subset seems to be enough: > > #suggested by kib@ > > domain-insecure: "168.192.in-addr.arpa." > > local-zone: "168.192.in-addr.arpa." transparent >=20 > ... and it turned out that even the last line is optional. >=20 > To clarify: ALL queries for my case should be forwarded. >=20 > It's on FreeBSD 10.0-STABLE #4 r267602: Wed Jun 18 11:15:36 MSK 2014 I use 'nodefault' instead of 'transparent' for these. I'm pretty sure you do need it because unbound has the RFC1918 and othe= r=20 "fake" addresses stubbed out. If you only did a 'reload' after changin= g it,=20 the stubs would have been replaced with a live address. I'd expect a f= ull=20 kill/restart to not work without it. You need the domain-insecure for 168.192.in-addr.arpa because there is = a NSEC3=20 hash on 192.in-addr.arpa that has a 'proof of non existence' for the 19= 2.168=20 node underneath. For what its worth, this is the general gist of what we do on the freeb= sd.org=20 cluster with some use of RFC1918 addresses: Individual machines: server: ... domain-insecure: "10.in-addr.arpa" local-zone: "10.in-addr.arpa." nodefault ... forward-zone: # Forward to the cluster caching hub name: . forward-addr: 2001:4f8:3:ffe0:4064:0:35:1 forward-addr: 2001:4f8:3:ffe0:4064:0:35:2 forward-addr: 149.20.53.9 forward-addr: 149.20.53.10 And one of the corresponding cache hubs: server: ... domain-insecure: "10.in-addr.arpa" local-zone: "10.in-addr.arpa." nodefault ... stub-zone: name: "10.in-addr.arpa" stub-addr: 149.20.53.9@5301 # local authoritive-only zone ser= ver stub-addr: 149.20.53.10@5301 # local authoritive-only zone serv= er ... Obviously this would need to be adjusted for whatever RFC1918 addresses= you're=20 using locally. But that's how we use the built-in local_unbound resolv= er for=20 dogfood in the freebsd.org cluster. =2D-=20 Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI= 6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 --nextPart13541158.MGelVY0z55 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABAgAGBQJTsIuvAAoJEDXWlwnsgJ4EdU4IAMVMy07Wr/Hjnx6kSw04zdVa zfBGuzOv3sDGgiJyBclTlZC2XllCQI7ef5fTWjCV3NWdG/imEsDqIGoXGwbrjYQV a6LZOhvK3zeKE6NsfSvVUBnePUDVmRzd3lG2m0sdT68LfaJ6qufW4DkGKVYKQDUe d4HSFyTUg9yXEKL3W+hcg/mtbxMRlJIIbvzUakMS5bGyyXmAmJVi3sVhWaaOHWXr OOiBL8IKlEgvKG6i3g1AoWHD681I0EEyjqeTHPq5VMasyds0cJ2e6IRWNNqycb+e JZn7zTxa3TWULUtyYUmG/4xdGAEk3YF8rjzxcl+ZiXLyQWesO+tHoj6s2f/pzGs= =ql5j -----END PGP SIGNATURE----- --nextPart13541158.MGelVY0z55--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4052053.k3ny9DzFll>