From owner-freebsd-stable@FreeBSD.ORG Sun Jun 29 15:39:33 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F3937D0B for ; Sun, 29 Jun 2014 15:39:32 +0000 (UTC) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 748F82261 for ; Sun, 29 Jun 2014 15:39:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.5/8.14.5) with ESMTP id s5TFdTjT090104; Sun, 29 Jun 2014 19:39:29 +0400 (MSK) (envelope-from marck@rinet.ru) Date: Sun, 29 Jun 2014 19:39:29 +0400 (MSK) From: Dmitry Morozovsky To: Konstantin Belousov Subject: Re: stable/10: unbound refuses to forward some DNS queries In-Reply-To: <20140629145905.GG93733@kib.kiev.ua> Message-ID: References: <20140629145905.GG93733@kib.kiev.ua> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (woozle.rinet.ru [0.0.0.0]); Sun, 29 Jun 2014 19:39:29 +0400 (MSK) Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jun 2014 15:39:33 -0000 On Sun, 29 Jun 2014, Konstantin Belousov wrote: > On Sun, Jun 29, 2014 at 03:28:26PM +0400, Dmitry Morozovsky wrote: > > Dear colleagues, > > > > after upgrading my home file server to stable/10 I found that after turning on > > local unbound reverse DNS queries for my RFC1918 zone stop working: [snip] > > Any hints? Or did I missed something trivial? > > I think, yes, you are supposed to spend a hour reading the unbound.conf > man page, without skipping of a single config option. Otherwise, > making unbound(8) work as local caching resolver for the private > network is impossible. The 'log-queries' and 'verbosity' would > allow to see what is going on. > > For the fake home. TLD and 192.168/16 network, I have to tell > unbound that the zones are not signed, and it is fine to forward > RFC1918 addresses to the upstream. > > I use the following magic (for upstream forwarder 192.168.102.80). > No idea if this could be simplified. > > domain-insecure: "home." > domain-insecure: "168.192.in-addr.arpa." > private-domain: "home." > local-zone: "168.192.in-addr.arpa." transparent > stub-zone: > name: "168.192.in-addr.arpa." > stub-addr: 192.168.102.80 Thank you so much, it works like a charm. I do not have special TLD for forward resolving, and for me the following subset seems to be enough: #suggested by kib@ domain-insecure: "168.192.in-addr.arpa." local-zone: "168.192.in-addr.arpa." transparent -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------