Reverse Resolution failing for one sebnet.

George Thessalonikefs george at nlnetlabs.nl
Mon Sep 5 15:29:37 UTC 2022 

Hi Peter,

You can use 'domain-insecure:' for that.

Best regards,
-- George

On 03/09/2022 23:42, Peter Fraser via Unbound-users wrote:
> I see. Thanks for that. Is it possible then to configure unbound to 
> exclude dnssec validation for a local domains and do it for all external 
> domains?
> 
> 
> Regards,
> 
>> On Jul 25, 2022, at 8:12 PM, Hugo Salgado <hsalgado at vulcano.cl 
>> <mailto:hsalgado at vulcano.cl>> wrote:
>>
>> 192.18.1 is currently delegated, and it has an nsec covering it until 
>> 192.18.10. So it could happen that activating validation, unbound is 
>> doing aggressive nsec, and answers nxdomain.
>>
>> Hugo
>>
>>
>> On July 25, 2022 8:38:51 PM GMT-04:00, Peter Fraser via Unbound-users 
>> <unbound-users at lists.nlnetlabs.nl 
>> <mailto:unbound-users at lists.nlnetlabs.nl>> wrote:
>>
>>     Hi All,
>>     I would really appreciate some help with this strange problem I am
>>     having. I am running unbound 1.16.1 on FreeBSD 13.1 with NSD. I
>>     have only one strange problem. I have two subnets on my network,
>>     192.18.1.0/24 and 192.168.2.0/24. All forward lookups on both
>>     subnets are fine but reverse lookups for the 192.18.1.0/24 subnet
>>     fails. I notice though that when auto-trust-anchor-file is
>>     disabled, it works. Not sure why since none of my zone records are
>>     signed anyway.
>>
>>     The server that unbound is on has IP address is 192.18.1.12. This
>>     is my setup below.
>>
>>
>>     interface: 192.18.1.12
>>     do-ip4: yes
>>     access-control: 0.0.0.0/0 refuse
>>     access-control: 127.0.0.0/8 allow
>>     access-control: 192.18.1.0/24 allow
>>     access-control: 192.168.2.0/24 allow
>>
>>     auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
>>     local-zone: "my_domain.net <http://my_domain.net>." nodefault
>>     local-zone: "168.192.in-addr.arpa." nodefault
>>     local-zone: "18.192.in-addr.arpa." nodefault
>>
>>
>>     stub-zone:
>>       name: "my_domain.net <http://my_domain.net>"
>>       stub-addr: 192.18.1.12 at 53000
>>
>>     stub-zone:
>>       name: "1.18.192.in-addr.arpa."
>>       stub-addr: 192.18.1.12 at 53000
>>
>>     stub-zone:
>>       name: "2.168.192.in-addr.arpa."
>>       stub-addr: 192.18.1.12 at 53000
>>
>

More information about the Unbound-users mailing list