[nsd-users] Unbound + NSD (stub-zones only needed for primary/secondary setup? NS records from the zone are ignored?)
K. de Jong
kees.dejong at os3.nl
Sat Sep 29 21:01:18 UTC 2018
Hi,
I'm using Unbound with NSD. Unbound consults the authoritive zones via
Unbound stub-zones. I also have a secondary NSD server running on a
different system which receives zone updates from its master (the one
with Unbound running on it as well). These primary and secondary name
servers are defined in the zone as ns1 (primary) and ns2 (secondary).
The problem is that the secondary is never queried. I do flush the
cache for the zone before I query again with dig/drill, but only the
master does a query/response. The queries fail when I disable NSD on
ns1 (primary).
The behavior only changes when I also add the secondary address to the
stub-zone in the Unbound config. But as far as I understand, the
recursive caching server (Unbound) should be able to also query the
secondary based on the NS definitions in the zone. To me it seems
strange that after defining NS records (with glue records) it's also
(or only?) needed to define the NS addresses in the stub-zone of
Unbound. Am I doing something wrong? Can someone explain why this setup
behaves like this?
What I want to accomplish is that the client queries 10.1.0.1 for a
record within home.lan, e.g. the A record of mail.home.lan. Unbound
then contacts the NSD server, then sees the NS records for ns1 and ns2
and is then able to query either ns1 or ns2 purely based on the NS
records, no extra configs needed, such as the extra stub-zone line.
After choosing the NS, that NS then replies with the A record of
mail.home.lan.
unbound.conf:
server:
verbosity: 1
log-queries: yes
interface: 127.0.0.1 at 53
interface: ::1 at 53
interface: 10.1.0.1 at 53
private-domain: home.lan
private-domain: home.vpn
private-address: 10.1.0.1
private-address: 10.1.1.1
access-control: 127.0.0.0/8 allow
access-control: ::1/128 allow
access-control: 10.1.0.0/24 allow
access-control: 10.1.1.0/24 allow
root-hints: "/etc/unbound/root.hints"
do-not-query-localhost: no
username: unbound
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
unwanted-reply-threshold: 10000
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
prefetch-key: yes
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
msg-cache-size: 32m
rrset-cache-size: 64m
so-rcvbuf: 1m
local-zone: "home.lan" nodefault
# domain-insecure: "home.lan"
include: "/etc/unbound/adblock.conf"
stub-zone:
name: "home.lan"
stub-addr: ::1 at 53530
stub-addr: 10.1.0.2 at 53
nsd.conf (primary):
server:
verbosity: 1
interface: 127.0.0.1 at 53530
interface: ::1 at 53530
interface: 10.1.0.1 at 53530
username: nsd
hide-version: yes
identity: ""
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-interface: ::1
control-port: 8952
server-key-file: "nsd_server.key"
server-cert-file: "nsd_server.pem"
control-key-file: "nsd_control.key"
control-cert-file: "nsd_control.pem"
zone:
name: "home.lan"
zonefile: "home.lan.forward"
notify: 10.1.0.2 NOKEY
provide-xfr: 10.1.0.2 NOKEY
nsd.conf (secondary)
server:
verbosity: 3
interface: 127.0.0.1 at 53
interface: ::1 at 53
interface: 10.1.0.2 at 53
username: nsd
hide-version: yes
identity: ""
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-interface: ::1
control-port: 8952
server-key-file: "nsd_server.key"
server-cert-file: "nsd_server.pem"
control-key-file: "nsd_control.key"
control-cert-file: "nsd_control.pem"
zone:
name: "home.lan"
zonefile: "home.lan.forward"
allow-notify: 10.1.0.1 NOKEY
request-xfr: 10.1.0.1 at 53530 NOKEY
--
Kees de Jong
OpenPGP fingerprint: 0x0E45C98AB51428E6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20180929/8969ae9a/attachment.bin>
More information about the nsd-users
mailing list