[Unbound-users] Issue while using override with local-data feature
Matthijs Mekking
matthijs at NLnetLabs.nl
Tue Dec 23 12:33:07 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Marco,
Marco Davids wrote:
> Hello list,
>
> I ran into an interesting situation while using the local-data feature
> in Unbound.
>
> Here is the situation:
>
> There is a domain, let's say it is 'domain.nl', with a FQDN
> 'www.domain.nl', which is available from the entire Internet. It is
> served from ns.example.com.
>
> There is also an override on my local Unbound-resolver:
> 'intra.domain.nl'. This should only be locally served, obviously.
>
> In unbound.conf I configured:
>
> local-zone: "domain.nl." transparent
> local-data: "intra.domain.nl A 192.168.1.1"
>
> Now, this works fine, with one exception:
>
> Many applications ask for AAAA-records nowadays. Indeed my application
> asks for 'AAAA intra.domain.nl'. In this case, Unbound (or rather
> ns.example.com, I guess) returns an NXDOMAIN. This is understandable,
> since there is no A record for 'intra.domain.nl' under the 'domain.nl'
> at ns.example.com (there is only a local override in Unbound). But it is
> also an undesirable situation, since some resolvers run into problems
> and won't resolve the A record anymore:
> http://support.microsoft.com/kb/815768
More specifically, ns.example.com returns NXDOMAIN because it has no RR
record at all with the owner dname intra.domain.nl.
Since the local-zone is set to transparant, unbound looks up the answer
locally first, and if it is not there, it performs the query.
ns.example.com would then return NXDOMAIN.
> Wouldn't it be better if Unbound would change the NXDOMAIN answer from
> ns.example.com into a NOERROR when it has an A-record equivalent of the
> AAAA-question available? Or maybe a similar solution to prevent the
> problem described above?
I think indeed this might be useful in the transparent mode.
- - Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJUNqDIXqNzxRs6egRAl0CAJ9/I3pmh6kbQOTGcQGAfNvqi7XOUgCePXKB
OgbCrtNczH6zmWuirRp0unM=
=lgB7
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list