[Unbound-users] stub vs. forward vs. redirect
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Thu Sep 17 10:35:13 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Tony,
On 09/14/2009 08:48 PM, Tony Finch wrote:
> We have a number of private zones on our site: a forward zone
> private.cam.ac.uk, and a number of reverse zones under 172.16.0.0/12.
> Should I configure these as stub zones, forward zones, or redirect zones?
As stub zones. Possibly set
local-zone: "16.172.in-addr.arpa" nodefault
so that unbound does not provide default blocking for the zone.
If you made them forward-zones, it would likely work as well, but if
there are CNAMEs then you probably want unbound to process the cname
chain chasing, as the other server is authoritative for these zones.
A redirect would work if you want to block access to those zones, and
return an answer to some 'redirect notify' page in all cases.
> At the moment private.cam.ac.uk is not signed but cam.ac.uk is. Does
> DNSSEC validation affect how I should configure these zones? Do I need to
> use the domain-indecure option?
Well, if private.cam.ac.uk does not exist in cam.ac.uk at all, Yes,
you need to use domain-insecure: "private.cam.ac.uk".
If cam.ac.uk has a delegation to private.cam.ac.uk then this turns
into a proper unsigned delegation and it works out of the box.
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkqyEOAACgkQkDLqNwOhpPgHqACePsEp0MRbXnf/8QA0kuz84W24
Xw4Anj8isOaugV4WSzwsndAjpIvh5EBi
=sqn5
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list