Unbound-users Digest, Vol 48, Issue 5

Jon Murphy jcmurphy26 at gmail.com
Sun Dec 24 22:11:42 UTC 2023 

Hello Fred - thank you for the quick response!

Being a newbie I am not sure I understand your response.  This is over my head.  I’ll read it again after the holidays.

It sounds like the answer to my questions is  ->  it matters when it matters.  As you said it is "implementation 
dependent".

With a simple network (well defined, eh?) I am guessing it does not matter.  I can have one A and one PTR record per network interface.  So for my "deb12dell.localdomain" device, it is OK to have "two" or each, like this:

 deb12dell.localdomain. 60 IN A 192.168.60.175
 175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
 deb12dell.localdomain. 60 IN A 192.168.65.180
 180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.

Thank you!

Merry Christmas / Happy Holidays,

Jon


> On Dec 23, 2023, at 6:00 AM, unbound-users-request at lists.nlnetlabs.nl wrote:
> 
> Send Unbound-users mailing list submissions to
> 	unbound-users at lists.nlnetlabs.nl
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
> or, via email, send a message with subject or body 'help' to
> 	unbound-users-request at lists.nlnetlabs.nl
> 
> You can reach the person managing the list at
> 	unbound-users-owner at lists.nlnetlabs.nl
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Unbound-users digest..."
> 
> 
> Today's Topics:
> 
>   1. A records, PTR records, and TTL setting (Jon Murphy)
>   2. Re: A records, PTR records, and TTL setting (Fred Morris)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 22 Dec 2023 09:17:56 -0600
> From: Jon Murphy <jcmurphy26 at gmail.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: A records, PTR records, and TTL setting
> Message-ID: <43B68B1A-5751-4BD6-B2DC-9C95B24EACAC at gmail.com>
> Content-Type: text/plain;	charset=utf-8
> 
> Hello!  Newbie here and I am looking for help with A records and PTR records.  I just started learning unbound and came across things that confuse me.  I am experimenting with unbound Version 1.18.0.  My unbound is for a local network.
> 
> 
> I have one device that has two network interfaces (ethernet and Wi-Fi).  
> 
> I added this Ethernet to unbound:
>  deb12dell.localdomain. 60 IN A 192.168.60.175
>  175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
> 
> For the 2nd network interface on "deb12dell" I added two more lines.  And yes, all seems fine!
>  deb12dell.localdomain. 60 IN A 192.168.65.180
>  180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
> 
> then...
> 
> I read somewhere that I should only have one A record per device (with multiple interfaces).  Like this:
>  deb12dell.localdomain. 60 IN A 192.168.60.175
>  175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
>  180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
> 
> 
> And I read somewhere else I should only have one PTR record per device. Like this:
>  deb12dell.localdomain. 60 IN A 192.168.65.180
>  180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain.
>  deb12dell.localdomain. 60 IN A 192.168.65.180
> 
> And the above two examples just do not "feel" right.
> 
> So my question is:
> - should there only be one A Record per device?
> - or maybe only one PTR Record per device?
> 
> I?ve searched Giggle and I looked through the mailing list but did not find an answer.
> 
> ===
> 
> ? Concerning TTL
> If I send A & PTR records to unbound via `unbound-control local_data` and I do NOT include the TTL value.  Then I list the records via `unbound-control list_local_data` and the new records show up with a default TTL value of 3600.
> 
> I tried adding all of these items, separately, to unbound.conf to see if I can set the default TTL but none work.
> 
> server:
>   # cache TTL settings
>   cache-max-ttl:
>   cache-min-ttl:
>   cache-max-negative-ttl:
>   infra-host-ttl:
> 
> How do I set the default TTL for A records and PTR records within unbound.conf??
> 
> Best regards,  Jon
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 22 Dec 2023 11:37:04 -0800 (PST)
> From: Fred Morris <m3047-unbound-b3u at m3047.net>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: A records, PTR records, and TTL setting
> Message-ID: <alpine.LSU.2.21.2312221039020.26513 at flame.m3047>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
> 
> This isn't specific to Unbound.. Can't help you with the TTL questions.
> 
> On Fri, 22 Dec 2023, Jon Murphy via Unbound-users wrote:
>> 
>> Hello!  Newbie here and I am looking for help with A records and PTR 
>> records.
> 
> Any time you have multiple RRs (records) the results are "implementation 
> dependent". The only thing you cannot have multiples of is CNAME (a number 
> of DNS server implementations enforce this).
> 
>> I have one device that has two network interfaces (ethernet and Wi-Fi).
>> [...]
>> then...
>> [...]
> 
> Any time you have an oname (FQDN) which resolves to multiple addresses, 
> some application is going to choose the wrong one for reasons you do not 
> comprehend. It is done for load balancing and sometimes failover, but it 
> works poorly unless you wrote the client software as well. This kind of 
> load balancing is oftentimes pushed down the stack with anycast, where 
> server selection is done with routing (different servers all answer at the 
> same address).
> 
> That hints at the first problem, which is that sometimes only one address 
> is reachable from a given network / segment.
> 
> Unless you want client applications to try both the ethernet and wifi 
> interfaces, don't list them both as the same name. flame.m3047.net has 
> four interfaces. That one is in the public DNS, the other three are 
> published in a private TLD (yes, I enjoy running through the forest naked 
> covered in honey): flame.m3047, wlan0.flame.m3047, eth2.flame.m3047. None 
> of those addresses is reachable from the other ones.
> 
> People hate search lists, but maybe it would have been smarter to name the 
> latter two flame.wlan0.m3047 and flame.eth2.m3047 and then if DHCP handed 
> out wlan0.m3047 and eth2.m3047 as the domain depending on which segment a 
> device was connected to, it would be able to pick the correct interface if 
> I simply specified flame (but not flame., an obscure search list thing).
> 
> I have another box with two addresses on a single interface because it 
> publishes two DNS services on the same network segment (a "normal" DNS 
> service, and RKVDNS[0] for security telemetry). Technically the box is 
> reachable on either address, but you might not get the answer you expect 
> if you talk to the wrong address. (If you want to SSH to the box you can 
> use either address, but DNS queries obviously return very different 
> results).
> 
>> And I read somewhere else I should only have one PTR record per device. Like this:
> 
> When you're using PTRs for on-label purposes technically multiple PTRs are 
> allowed, but it causes problems for how they are used. PTR records are 
> widely used for crappy security, but sometimes that's all there is.
> 
> For instance NFS, if you have multiple PTRs and you use host based access 
> controls you need to list them all. Email servers are vetted by peers 
> based on the PTR and A / AAAA records validating each other, which breaks 
> with multiple PTRs.
> 
> I mentioned elsewhere that you can only ever have one CNAME, and since 
> PTRs are built the same way they're sometimes utilized for off-label 
> purposes (such as fanout[2]).
> 
> Another issue with PTRs and CNAMEs is that the PTR typically points to 
> what the CNAME points to (if there is any PTR at all), which isn't all 
> that helpful. I use Dnstap telemetry to populate a Response Policy Zone 
> with PTR records reflecting the name which was actually looked up[1].
> 
> As part of my RPZ implementation I (also) follow best practices and have 
> both a white and a block list. When I whitelist stuff it's often in some 
> cesspool like cloudfront, so I create -owner PTR records as documentation: 
> DE6F7G5I6V6QF.CLOUDFRONT.NET-OWNER.whitelist.m3047.net. 600 IN PTR 
> UMBRELLA.COM.
> 
>> [...]
>> I?ve searched Giggle and I looked through the mailing list but did not find an answer.
> 
> I use Gmrgle, but you be you. :-p
> 
> --
> 
> Fred Morris, internet plumber
> 
> --
> 
> [0] https://github.com/m3047/rkvdns
> [1] https://github.com/m3047/rear_view_rpz
> [2] https://github.com/m3047/rkvdns_examples/tree/main/fanout
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
> 
> ------------------------------
> 
> End of Unbound-users Digest, Vol 48, Issue 5
> ********************************************

More information about the Unbound-users mailing list