[Unbound-users] Issue while using override with local-data feature

Matthijs Mekking matthijs at NLnetLabs.nl
Tue Dec 23 12:33:07 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marco,

Marco Davids wrote:
> Hello list,
> 
> I ran into an interesting situation while using the local-data feature
> in Unbound.
> 
> Here is the situation:
> 
> There is a domain, let's say it is 'domain.nl', with a FQDN
> 'www.domain.nl', which is available from the entire Internet. It is
> served from ns.example.com.
> 
> There is also an override on my local Unbound-resolver:
> 'intra.domain.nl'. This should only be locally served, obviously.
> 
> In unbound.conf I configured:
> 
> local-zone: "domain.nl." transparent
> local-data: "intra.domain.nl A 192.168.1.1"
> 
> Now, this works fine, with one exception:
> 
> Many applications ask for AAAA-records nowadays. Indeed my application
> asks for 'AAAA intra.domain.nl'. In this case, Unbound (or rather
> ns.example.com, I guess) returns an NXDOMAIN. This is understandable,
> since there is no A record for 'intra.domain.nl' under the 'domain.nl'
> at ns.example.com (there is only a local override in Unbound). But it is
> also an undesirable situation, since some resolvers run into problems
> and won't resolve the A record anymore:
> http://support.microsoft.com/kb/815768

More specifically, ns.example.com returns NXDOMAIN because it has no RR
record at all with the owner dname intra.domain.nl.

Since the local-zone is set to transparant, unbound looks up the answer
locally first, and if it is not there, it performs the query.
ns.example.com would then return NXDOMAIN.

> Wouldn't it be better if Unbound would change the NXDOMAIN answer from
> ns.example.com into a NOERROR when it has an A-record equivalent of the
> AAAA-question available? Or maybe a similar solution to prevent the
> problem described above?

I think indeed this might be useful in the transparent mode.

- - Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJUNqDIXqNzxRs6egRAl0CAJ9/I3pmh6kbQOTGcQGAfNvqi7XOUgCePXKB
OgbCrtNczH6zmWuirRp0unM=
=lgB7
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list