[Unbound-users] Issue while using override with local-data feature
matthijs at NLnetLabs.nl
Tue Dec 23 12:33:07 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Marco Davids wrote:
> Hello list,
> I ran into an interesting situation while using the local-data feature
> in Unbound.
> Here is the situation:
> There is a domain, let's say it is 'domain.nl', with a FQDN
> 'www.domain.nl', which is available from the entire Internet. It is
> served from ns.example.com.
> There is also an override on my local Unbound-resolver:
> 'intra.domain.nl'. This should only be locally served, obviously.
> In unbound.conf I configured:
> local-zone: "domain.nl." transparent
> local-data: "intra.domain.nl A 192.168.1.1"
> Now, this works fine, with one exception:
> Many applications ask for AAAA-records nowadays. Indeed my application
> asks for 'AAAA intra.domain.nl'. In this case, Unbound (or rather
> ns.example.com, I guess) returns an NXDOMAIN. This is understandable,
> since there is no A record for 'intra.domain.nl' under the 'domain.nl'
> at ns.example.com (there is only a local override in Unbound). But it is
> also an undesirable situation, since some resolvers run into problems
> and won't resolve the A record anymore:
More specifically, ns.example.com returns NXDOMAIN because it has no RR
record at all with the owner dname intra.domain.nl.
Since the local-zone is set to transparant, unbound looks up the answer
locally first, and if it is not there, it performs the query.
ns.example.com would then return NXDOMAIN.
> Wouldn't it be better if Unbound would change the NXDOMAIN answer from
> ns.example.com into a NOERROR when it has an A-record equivalent of the
> AAAA-question available? Or maybe a similar solution to prevent the
> problem described above?
I think indeed this might be useful in the transparent mode.
- - Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Unbound-users