Difference between 'transparent' and 'nodefault' options

Wouter Wijngaards wouter at nlnetlabs.nl
Mon Oct 1 11:21:49 UTC 2018

Hi Kees,

On 10/1/18 7:36 AM, K. de Jong via Unbound-users wrote:
> Hi,
> I would like to know the difference between 'transparent' and
> 'nodefault'. Transparent sounds like a soft nodefault? When there is
> local-data it does a lookup there, if there is not it will continue
> looking for an answer, such as e.g. going through the forwarders? Is
> that correct? This could also mean it get's a reply from the AS112
> project if the address is private, right?

Yes it performs the local-data and if not there, continues to the
upstream servers, like forwarders you have configured.  This could mean
contacting servers from the AS112 project.

Unbound also has built-in answers for names from the AS112 namespace,
and the nodefault makes it not process that so you can use that query
for normal processing.

> Can someone also explain this sentence for me? "If no local-zone is
> given local-data causes a transparent zone to be created by default."
> What is this transparent zone? Why would it be created and if it is
> created, how can I see it?
> As far as I understand is nodefault a way to use private addresses in
> your zone without having them 'answered' by the AS112 project, correct?

Without having them answered by the built-in namespace answers in
Unbound for names in the AS112 namespace.  With that rephrase.

Transparent (and other local-zone types) implies nodefault.  If you say
transparent you get also the benefits that nodefault would give.
Transparent also allows you to add local-data statements, but if you
have none, there is very little difference for you between transparent
and nodefault.

> I have a stub-zone to an authoritative name server which has only
> private addresses in its zone. I guess I will need to use 'nodefault'
> for that? At the moment I use 'transparent', that works fine too. What
> kind of problems could I expect if I continue with 'transparent'?

No, I do not expect problems, I think you would be fine.

> Sorry for all the questions... I just want to clearly understand these
> options, at the moment I don't and I can't find other sources than the
> man page. Thank you.

Transparent also works for people who want to override like a couple of
data elements but the rest uses normal upstream processing.  For zones
that are not private.  Nodefault is used to turn of the build-in AS112
namespace processing, so that these private namespace names and be used.

The created transparent zone is made if you give local-data but no
local-zone statements.  It is simply a higher up domain node.  Not sure
how to see if but perhaps with unbound-control.  However, I don't think
you need to worry about it because you have specified the local-zone

Best regards, Wouter

> --
> Kind regards,
> Kees de Jong  |  OpenPGP fingerprint: 0x0E45C98AB51428E6

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181001/0ccaf635/attachment.bin>

More information about the Unbound-users mailing list