10.in-addr.arpa forward-zone and auto-trust-anchor-file
Mikolaj Kucharski
mikolaj at kucharski.name
Thu Nov 12 09:33:18 UTC 2020
Hi,
I would like to setup forward-zone for PTR records in 10/8 subnet.
However I don't know how to do it with auto-trust-anchor-file setting
enabled. When I remove auto-trust-anchor-file setting, PTR resolution
for 10.in-addr.arpa. works. With below config I'm getting this:
$ dig -x 10.148.0.10
; <<>> dig 9.10.8-P1 <<>> -x 10.148.0.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8719
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;10.0.148.10.in-addr.arpa. IN PTR
;; Query time: 43 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 12 09:23:49 UTC 2020
;; MSG SIZE rcvd: 53
and in syslog I see following line:
unbound: [38030:0] info: validation failure <10.0.148.10.in-addr.arpa. PTR IN>: no DNSSEC records from 8.8.4.4 for DS 10.in-addr.arpa. while building chain of trust
When I remove auto-trust-anchor-file line from config it works:
$ dig -x 10.148.0.10
; <<>> dig 9.10.8-P1 <<>> -x 10.148.0.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58068
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;10.0.148.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.0.148.10.in-addr.arpa. 30 IN PTR kube-dns.kube-system.svc.k8s.prod.example.com.
;; Query time: 43 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 12 09:25:13 UTC 2020
;; MSG SIZE rcvd: 112
Here is my config:
# unbound.conf
server:
interface: 127.0.0.1
interface: ::1
qname-minimisation: yes
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2
aggressive-nsec: yes
local-zone: "10.in-addr.arpa." transparent
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
forward-zone:
name: "example.com."
forward-addr: 10.96.2.81
forward-first: no
forward-zone:
name: "k8s.prod.example.com."
forward-addr: 10.148.0.10
forward-first: no
forward-zone:
name: "10.in-addr.arpa."
forward-addr: 10.148.0.10
forward-first: no
forward-zone:
name: "."
forward-addr: 8.8.4.4
forward-addr: 8.8.8.8
forward-addr: 208.67.222.222
forward-addr: 208.67.220.220
forward-addr: 1.0.0.1
forward-addr: 1.1.1.1
forward-first: yes
Any tips how to set it up?
$ unbound -V
Version 1.12.0
Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound --disable-shared --disable-explicit-port-randomisation --without-pthreads
Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.2.2
Linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs at nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
--
Regards,
Mikolaj
More information about the Unbound-users
mailing list