From owner-freebsd-stable@FreeBSD.ORG  Sun Jun 29 21:57:07 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 126621A1
 for <freebsd-stable@freebsd.org>; Sun, 29 Jun 2014 21:57:07 +0000 (UTC)
Received: from smtp2.wemm.org (smtp2.wemm.org [192.203.228.78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp2.wemm.org",
 Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id E4E7D2CF7
 for <freebsd-stable@freebsd.org>; Sun, 29 Jun 2014 21:57:06 +0000 (UTC)
Received: from overcee.wemm.org (canning.wemm.org [192.203.228.65])
 by smtp2.wemm.org (Postfix) with ESMTP id 40240354;
 Sun, 29 Jun 2014 14:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org;
 s=m20140428; t=1404079025;
 bh=49ClYpm6wCKjFdgX3YDoipIGpulOT76GZLhf5IJ7BLY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=A8IVEPjMw8Tv4xYRxUQmcElRTPuME6MTXnslJ1ZsDZRrVMGFzwTnsbU+KcOhqXiKd
 YWXkkEN67ctxxa0r4WnvmvdOaxfEoPuFCP4nS7Tw6O29xe8Bpdhfd60P+k0pZWwPdd
 amY+MOhlRy1ivntsjoz3CzxjyhdbtoVLLtfBa49I=
From: Peter Wemm <peter@wemm.org>
To: freebsd-stable@freebsd.org
Subject: Re: stable/10: unbound refuses to forward some DNS queries
Date: Sun, 29 Jun 2014 14:56:58 -0700
Message-ID: <4052053.k3ny9DzFll@overcee.wemm.org>
User-Agent: KMail/4.12.5 (FreeBSD/11.0-CURRENT; KDE/4.12.5; amd64; ; )
In-Reply-To: <alpine.BSF.2.00.1406292002370.36231@woozle.rinet.ru>
References: <alpine.BSF.2.00.1406291514140.36231@woozle.rinet.ru>
 <alpine.BSF.2.00.1406291933560.36231@woozle.rinet.ru>
 <alpine.BSF.2.00.1406292002370.36231@woozle.rinet.ru>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart13541158.MGelVY0z55";
 micalg="pgp-sha1"; protocol="application/pgp-signature"
Cc: Konstantin Belousov <kostikbel@gmail.com>,
 Dmitry Morozovsky <marck@rinet.ru>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jun 2014 21:57:07 -0000


--nextPart13541158.MGelVY0z55
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"

On Sunday 29 June 2014 20:04:29 Dmitry Morozovsky wrote:
> On Sun, 29 Jun 2014, Dmitry Morozovsky wrote:
> > Thank you so much, it works like a charm.
> >=20
> > I do not have special TLD for forward resolving, and for me the fol=
lowing
> >=20
> > subset seems to be enough:
> >         #suggested by kib@
> >         domain-insecure: "168.192.in-addr.arpa."
> >         local-zone: "168.192.in-addr.arpa." transparent
>=20
> ... and it turned out that even the last line is optional.
>=20
> To clarify: ALL queries for my case should be forwarded.
>=20
> It's on FreeBSD 10.0-STABLE #4 r267602: Wed Jun 18 11:15:36 MSK 2014

I use 'nodefault' instead of 'transparent' for these.

I'm pretty sure you do need it because unbound has the RFC1918 and othe=
r=20
"fake" addresses stubbed out.  If you only did a 'reload' after changin=
g it,=20
the stubs would have been replaced with a live address.  I'd expect a f=
ull=20
kill/restart to not work without it.

You need the domain-insecure for 168.192.in-addr.arpa because there is =
a NSEC3=20
hash on 192.in-addr.arpa that has a 'proof of non existence' for the 19=
2.168=20
node underneath.

For what its worth, this is the general gist of what we do on the freeb=
sd.org=20
cluster with some use of RFC1918 addresses:

Individual machines:
server:
...
        domain-insecure: "10.in-addr.arpa"
        local-zone: "10.in-addr.arpa." nodefault
...
forward-zone:
        # Forward to the cluster caching hub
        name: .
        forward-addr: 2001:4f8:3:ffe0:4064:0:35:1
        forward-addr: 2001:4f8:3:ffe0:4064:0:35:2
        forward-addr: 149.20.53.9
        forward-addr: 149.20.53.10

And one of the corresponding cache hubs:
server:
...
        domain-insecure: "10.in-addr.arpa"
        local-zone: "10.in-addr.arpa." nodefault
...
stub-zone:
        name: "10.in-addr.arpa"
        stub-addr: 149.20.53.9@5301   # local authoritive-only zone ser=
ver
        stub-addr: 149.20.53.10@5301 # local authoritive-only zone serv=
er
...

Obviously this would need to be adjusted for whatever RFC1918 addresses=
 you're=20
using locally.  But that's how we use the built-in local_unbound resolv=
er for=20
dogfood in the freebsd.org cluster.

=2D-=20
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI=
6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246
--nextPart13541158.MGelVY0z55
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAABAgAGBQJTsIuvAAoJEDXWlwnsgJ4EdU4IAMVMy07Wr/Hjnx6kSw04zdVa
zfBGuzOv3sDGgiJyBclTlZC2XllCQI7ef5fTWjCV3NWdG/imEsDqIGoXGwbrjYQV
a6LZOhvK3zeKE6NsfSvVUBnePUDVmRzd3lG2m0sdT68LfaJ6qufW4DkGKVYKQDUe
d4HSFyTUg9yXEKL3W+hcg/mtbxMRlJIIbvzUakMS5bGyyXmAmJVi3sVhWaaOHWXr
OOiBL8IKlEgvKG6i3g1AoWHD681I0EEyjqeTHPq5VMasyds0cJ2e6IRWNNqycb+e
JZn7zTxa3TWULUtyYUmG/4xdGAEk3YF8rjzxcl+ZiXLyQWesO+tHoj6s2f/pzGs=
=ql5j
-----END PGP SIGNATURE-----

--nextPart13541158.MGelVY0z55--