Difference between 'transparent' and 'nodefault' options

Amanda Constant amanda.constant at secure64.com
Mon Oct 1 17:27:21 UTC 2018

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.


On Oct 1, 2018, at 5:21 AM, Wouter Wijngaards via Unbound-users <unbound-users at nlnetlabs.nl> wrote:

> Hi Kees,
> On 10/1/18 7:36 AM, K. de Jong via Unbound-users wrote:
> Hi,
> I would like to know the difference between 'transparent' and
> 'nodefault'. Transparent sounds like a soft nodefault? When there is
> local-data it does a lookup there, if there is not it will continue
> looking for an answer, such as e.g. going through the forwarders? Is
> that correct? This could also mean it get's a reply from the AS112
> project if the address is private, right?
> Yes it performs the local-data and if not there, continues to the
> upstream servers, like forwarders you have configured.  This could mean
> contacting servers from the AS112 project.
> Unbound also has built-in answers for names from the AS112 namespace,
> and the nodefault makes it not process that so you can use that query
> for normal processing.
> Can someone also explain this sentence for me? "If no local-zone is
> given local-data causes a transparent zone to be created by default."
> What is this transparent zone? Why would it be created and if it is
> created, how can I see it?
> As far as I understand is nodefault a way to use private addresses in
> your zone without having them 'answered' by the AS112 project, correct?
> Without having them answered by the built-in namespace answers in
> Unbound for names in the AS112 namespace.  With that rephrase.
> Transparent (and other local-zone types) implies nodefault.  If you say
> transparent you get also the benefits that nodefault would give.
> Transparent also allows you to add local-data statements, but if you
> have none, there is very little difference for you between transparent
> and nodefault.
> I have a stub-zone to an authoritative name server which has only
> private addresses in its zone. I guess I will need to use 'nodefault'
> for that? At the moment I use 'transparent', that works fine too. What
> kind of problems could I expect if I continue with 'transparent'?
> No, I do not expect problems, I think you would be fine.
> Sorry for all the questions... I just want to clearly understand these
> options, at the moment I don't and I can't find other sources than the
> man page. Thank you.
> Transparent also works for people who want to override like a couple of
> data elements but the rest uses normal upstream processing.  For zones
> that are not private.  Nodefault is used to turn of the build-in AS112
> namespace processing, so that these private namespace names and be used.
> The created transparent zone is made if you give local-data but no
> local-zone statements.  It is simply a higher up domain node.  Not sure
> how to see if but perhaps with unbound-control.  However, I don't think
> you need to worry about it because you have specified the local-zone
> statements.
> Best regards, Wouter
> --
> Kind regards,
> Kees de Jong  |  OpenPGP fingerprint: 0x0E45C98AB51428E6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 3345 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181001/d30cd42b/attachment.bin>

More information about the Unbound-users mailing list