On Sun, 29 Jun 2014, Peter Wemm wrote: > > > subset seems to be enough: > > > #suggested by kib@ > > > domain-insecure: "168.192.in-addr.arpa." > > > local-zone: "168.192.in-addr.arpa." transparent > > > > ... and it turned out that even the last line is optional. > > > > To clarify: ALL queries for my case should be forwarded. > > > > It's on FreeBSD 10.0-STABLE #4 r267602: Wed Jun 18 11:15:36 MSK 2014 > > I use 'nodefault' instead of 'transparent' for these. > > I'm pretty sure you do need it because unbound has the RFC1918 and other > "fake" addresses stubbed out. If you only did a 'reload' after changing it, > the stubs would have been replaced with a live address. I'd expect a full > kill/restart to not work without it. Yes you're absolutely right. > You need the domain-insecure for 168.192.in-addr.arpa because there is a NSEC3 > hash on 192.in-addr.arpa that has a 'proof of non existence' for the 192.168 > node underneath. maybe then we could improve the logic in local-unbound-setup.sh to detect RFC1918 addresses active on interfaces up and generate unbound.conf accordingly? -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"