[Unbound-users] Servers for local zones that are not signed
crosser at average.org
Fri Jul 6 13:13:22 UTC 2012
On 07/06/2012 04:45 PM, W.C.A. Wijngaards wrote:
>>>> So unbound asks dnsmasq for the address of "myhost.lan" as it
>>>> is instructed by forward-zone, gets correct result (!), but
>>>> then marks it bogus because it cannot establish trust chain.
>>> You'll need
>>> private-domain: "lan." domain-insecure: "lan."
>> Wow, that was fast! After also adding "do-not-query-localhost: no"
>> (and 'local-zone: "168.192.in-addr.arpa" nodefault' for the reverse
>> zone) it all worked!
>> Thanks a lot!
>> Any chance to make these sort of tricks more apparent in the
> Where in the documentation have you been looking, i.e. does it make
> sense to add some text to help out?
I was reading unbound.conf(5) because there is no relevant doc in the Guides
section. I'd say, a separate "HowTo Configure Forward For Local Zones" document
would be ideal for my particular case. Or, spray hints in the unbound.conf
manpage like so:
- In the description of "forward-zone" and "stub-zone" mention that:
+ if this is a local zone that does not have a DS in the parent zone, you must
list the name as "domain-insecure",
+ if it may contain private addresses, then also in "private-domain"
+ if it is a reverse zone for private address range, the zone needs to be
configured "local-zone: <zone.in-addr-arpa> nodefault"
- In the description of "forward-addr" note that if you specify loopback address
you should also add "do-not-query-localhost: no"
I think a separate HowTo might be better because this is a relatively common
setup, so many would benefit, and on the other hand the manpage is rather long
and dense already. I could knock up a short doc, shall I try?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 254 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users