看板 FB_stable 關於我們 聯絡資訊
發信人peter@wemm.org (Peter Wemm),
看板FB_stable
標 題Re: stable/10: unbound refuses to forward some DNS queries
發信站NCTU CS FreeBSD Server (Sun Jun 29 22:56:58 2014)
轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow
--nextPart13541158.MGelVY0z55 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Sunday 29 June 2014 20:04:29 Dmitry Morozovsky wrote: > On Sun, 29 Jun 2014, Dmitry Morozovsky wrote: > > Thank you so much, it works like a charm. > >=20 > > I do not have special TLD for forward resolving, and for me the fol= lowing > >=20 > > subset seems to be enough: > > #suggested by kib@ > > domain-insecure: "168.192.in-addr.arpa." > > local-zone: "168.192.in-addr.arpa." transparent >=20 > ... and it turned out that even the last line is optional. >=20 > To clarify: ALL queries for my case should be forwarded. >=20 > It's on FreeBSD 10.0-STABLE #4 r267602: Wed Jun 18 11:15:36 MSK 2014 I use 'nodefault' instead of 'transparent' for these. I'm pretty sure you do need it because unbound has the RFC1918 and othe= r=20 "fake" addresses stubbed out. If you only did a 'reload' after changin= g it,=20 the stubs would have been replaced with a live address. I'd expect a f= ull=20 kill/restart to not work without it. You need the domain-insecure for 168.192.in-addr.arpa because there is = a NSEC3=20 hash on 192.in-addr.arpa that has a 'proof of non existence' for the 19= 2.168=20 node underneath. For what its worth, this is the general gist of what we do on the freeb= sd.org=20 cluster with some use of RFC1918 addresses: Individual machines: server: .... domain-insecure: "10.in-addr.arpa" local-zone: "10.in-addr.arpa." nodefault .... forward-zone: # Forward to the cluster caching hub name: . forward-addr: 2001:4f8:3:ffe0:4064:0:35:1 forward-addr: 2001:4f8:3:ffe0:4064:0:35:2 forward-addr: 149.20.53.9 forward-addr: 149.20.53.10 And one of the corresponding cache hubs: server: .... domain-insecure: "10.in-addr.arpa" local-zone: "10.in-addr.arpa." nodefault .... stub-zone: name: "10.in-addr.arpa" stub-addr: 149.20.53.9@5301 # local authoritive-only zone ser= ver stub-addr: 149.20.53.10@5301 # local authoritive-only zone serv= er .... Obviously this would need to be adjusted for whatever RFC1918 addresses= you're=20 using locally. But that's how we use the built-in local_unbound resolv= er for=20 dogfood in the freebsd.org cluster. =2D-=20 Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI= 6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 --nextPart13541158.MGelVY0z55 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABAgAGBQJTsIuvAAoJEDXWlwnsgJ4EdU4IAMVMy07Wr/Hjnx6kSw04zdVa zfBGuzOv3sDGgiJyBclTlZC2XllCQI7ef5fTWjCV3NWdG/imEsDqIGoXGwbrjYQV a6LZOhvK3zeKE6NsfSvVUBnePUDVmRzd3lG2m0sdT68LfaJ6qufW4DkGKVYKQDUe d4HSFyTUg9yXEKL3W+hcg/mtbxMRlJIIbvzUakMS5bGyyXmAmJVi3sVhWaaOHWXr OOiBL8IKlEgvKG6i3g1AoWHD681I0EEyjqeTHPq5VMasyds0cJ2e6IRWNNqycb+e JZn7zTxa3TWULUtyYUmG/4xdGAEk3YF8rjzxcl+ZiXLyQWesO+tHoj6s2f/pzGs= =ql5j -----END PGP SIGNATURE----- --nextPart13541158.MGelVY0z55--