Date: Sun, 29 Jun 2014 14:56:58 -0700 From: Peter Wemm <peter@wemm.org> To: freebsd-stable@freebsd.org Cc: Konstantin Belousov <kostikbel@gmail.com>, Dmitry Morozovsky <marck@rinet.ru> Subject: Re: stable/10: unbound refuses to forward some DNS queries Message-ID: <4052053.k3ny9DzFll@overcee.wemm.org> In-Reply-To: <alpine.BSF.2.00.1406292002370.36231@woozle.rinet.ru> References: <alpine.BSF.2.00.1406291514140.36231@woozle.rinet.ru> <alpine.BSF.2.00.1406291933560.36231@woozle.rinet.ru> <alpine.BSF.2.00.1406292002370.36231@woozle.rinet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart13541158.MGelVY0z55
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
On Sunday 29 June 2014 20:04:29 Dmitry Morozovsky wrote:
> On Sun, 29 Jun 2014, Dmitry Morozovsky wrote:
> > Thank you so much, it works like a charm.
> >=20
> > I do not have special TLD for forward resolving, and for me the fol=
lowing
> >=20
> > subset seems to be enough:
> > #suggested by kib@
> > domain-insecure: "168.192.in-addr.arpa."
> > local-zone: "168.192.in-addr.arpa." transparent
>=20
> ... and it turned out that even the last line is optional.
>=20
> To clarify: ALL queries for my case should be forwarded.
>=20
> It's on FreeBSD 10.0-STABLE #4 r267602: Wed Jun 18 11:15:36 MSK 2014
I use 'nodefault' instead of 'transparent' for these.
I'm pretty sure you do need it because unbound has the RFC1918 and othe=
r=20
"fake" addresses stubbed out. If you only did a 'reload' after changin=
g it,=20
the stubs would have been replaced with a live address. I'd expect a f=
ull=20
kill/restart to not work without it.
You need the domain-insecure for 168.192.in-addr.arpa because there is =
a NSEC3=20
hash on 192.in-addr.arpa that has a 'proof of non existence' for the 19=
2.168=20
node underneath.
For what its worth, this is the general gist of what we do on the freeb=
sd.org=20
cluster with some use of RFC1918 addresses:
Individual machines:
server:
...
domain-insecure: "10.in-addr.arpa"
local-zone: "10.in-addr.arpa." nodefault
...
forward-zone:
# Forward to the cluster caching hub
name: .
forward-addr: 2001:4f8:3:ffe0:4064:0:35:1
forward-addr: 2001:4f8:3:ffe0:4064:0:35:2
forward-addr: 149.20.53.9
forward-addr: 149.20.53.10
And one of the corresponding cache hubs:
server:
...
domain-insecure: "10.in-addr.arpa"
local-zone: "10.in-addr.arpa." nodefault
...
stub-zone:
name: "10.in-addr.arpa"
stub-addr: 149.20.53.9@5301 # local authoritive-only zone ser=
ver
stub-addr: 149.20.53.10@5301 # local authoritive-only zone serv=
er
...
Obviously this would need to be adjusted for whatever RFC1918 addresses=
you're=20
using locally. But that's how we use the built-in local_unbound resolv=
er for=20
dogfood in the freebsd.org cluster.
=2D-=20
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI=
6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246
--nextPart13541158.MGelVY0z55
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABAgAGBQJTsIuvAAoJEDXWlwnsgJ4EdU4IAMVMy07Wr/Hjnx6kSw04zdVa
zfBGuzOv3sDGgiJyBclTlZC2XllCQI7ef5fTWjCV3NWdG/imEsDqIGoXGwbrjYQV
a6LZOhvK3zeKE6NsfSvVUBnePUDVmRzd3lG2m0sdT68LfaJ6qufW4DkGKVYKQDUe
d4HSFyTUg9yXEKL3W+hcg/mtbxMRlJIIbvzUakMS5bGyyXmAmJVi3sVhWaaOHWXr
OOiBL8IKlEgvKG6i3g1AoWHD681I0EEyjqeTHPq5VMasyds0cJ2e6IRWNNqycb+e
JZn7zTxa3TWULUtyYUmG/4xdGAEk3YF8rjzxcl+ZiXLyQWesO+tHoj6s2f/pzGs=
=ql5j
-----END PGP SIGNATURE-----
--nextPart13541158.MGelVY0z55--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4052053.k3ny9DzFll>