Local-data or stub-zone for fake domains

Wouter Wijngaards wouter at nlnetlabs.nl
Mon Aug 5 07:56:35 UTC 2019


Hi,

On 8/5/19 9:17 AM, Юрий Иванов via Unbound-users wrote:
> Hi,
> May I ask for advice.

I think you need to give a dnssec trust (or non-trust) point for the
mycorp, this is what causes the failure.  It now, quite likely, tries to
use the mycorp dnssec chain from the public internet and tries to
continue it into the stub-zone contents, but there are no DNSSEC records
there.

domain-insecure: "mycorp."
that should solve the problem by disabling DNSSEC for mycorp.

It you want to use dnssec with mycorp, then unbound has to be able to
find out what the correct keys are for it.  Without domain-insecure it
uses the parent zone ("." in this case) to find the mycorp DS record,
but you can also load a trust anchor file (this is a text file with the
DS or DNSKEY records in zone file format).  But then you would have to
sign the mycorp domain that is served from the stub-zone server.

The local-zone and local-data statements work because they act like a
filter for lookups before the DNSSEC processing and stub lookups take place.

Best regards, Wouter

> 
> My original DNS host internal zone .mycorp, for local company services.
> Now I want to use unbound.
> 
> I've created stub-zone:
> stub-zone:
>   name: "mycorp."
>   stub-addr: 87.2.16.54
> 
> When asking dig @87.2.16.54 supportdesk.mycorp unbound send me a log
> message:
> Aug  5 09:58:37 DNSCache-1 unbound: [16829:2] info: validation failure
> <supportdesk.mycorp. A IN>: no NSEC3 records from 202.12.27.33 for DS
> supportdesk.mycorp. while building chain of trust
> 
> To override this problem I create local data:
> local-data: "supportdesk.mycorp. 10800 IN A 87.2.16.54"
> 
> What is correct path to resolv this issue: Create a bunch of local-data
> entries or try fix validation failure  somehow?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190805/57957d18/attachment.bin>


More information about the Unbound-users mailing list