Failing to stub an in-addr.arpa zone

Unbound
1

Hi folks,

I have nsd3 serving on ::1 and unbound stubbing three zones to it.
Two of those zones work just fine, but the in-addr.arpa zone
I cannot get to work. Here is the configuration and the zone:

  stub-zone:
        name: "14.168.192.in-addr.arpa"
        stub-addr: ::1

  * * *

  $ORIGIN @
          86400 IN SOA ns hostmaster 155299844 7200 3600 604800 3600
          86400 IN NS ns
  ns 86400 IN A 127.0.0.1
  ns 86400 IN AAAA ::1
  [...]

I can query nsd3 fine with dig @::1.

When unbound forwards queries to the zone, however, it fails to send
them to nsd3, even though it seems like it found the delegation.
Upon startup, unbound seems to determine the delegation point just
fine:

  info: DelegationPoint<14.168.192.in-addr.arpa.>: 0 names (0 missing), 1 addrs (0 result, 1 avail)
  info: ip6 ::1 port 53 (len 28)

But when I ask it for data from that zone, I just keep getting
NXDOMAIN without any entries in the unbound log @verbosity 9.

piper:~|master|% dig @2001:41e0:ff12::1 a ns.14.168.192.in-addr.arpa
[...]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7517
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
[...]

I see the same problem using 127.0.0.1 instead of ::1. Any idea
what's going on?

2

Hi Martin,

local-zone: "168.192.in-addr.arpa" nodefault

is the entry you need to remove the default NXDOMAIN for queries that
should not be sent to the greater internet by default.

Best regards,
   Wouter

martin f krafft wrote:

3

also sprach W.C.A. Wijngaards <wouter@NLnetLabs.nl> [2008.10.21.1639 +0200]:

local-zone: "168.192.in-addr.arpa" nodefault

is the entry you need to remove the default NXDOMAIN for queries that
should not be sent to the greater internet by default.

This fixed the issue, while the more specific

  local-zone: "14.168.192.in-addr.arpa" nodefault

did not. I can imagine why.

I'd say that it shouldn't be required. If 168.192.in-addr.arpa is
a default zone, then a stub-zone like 14.168.192.in-addr.arpa or
even 168.192.in-addr.arpa should override that, no?

4

martin f krafft wrote:

did not. I can imagine why.

I'd say that it shouldn't be required. If 168.192.in-addr.arpa is
a default zone, then a stub-zone like 14.168.192.in-addr.arpa or
even 168.192.in-addr.arpa should override that, no?

It is an entry in a different table internally. The local zones, stubs,
forwarders, have their own lookup tables. It seems to cause grief over
the forwarder/stub lookup as well.

Operators expect the most specific. But the application has a simple
ordering, first check local-zone, then check forwards, then stubs.

Best regards,
   Wouter

5

also sprach W.C.A. Wijngaards <wouter@NLnetLabs.nl> [2008.10.21.1706 +0200]:

It is an entry in a different table internally. The local zones, stubs,
forwarders, have their own lookup tables. It seems to cause grief over
the forwarder/stub lookup as well.

Operators expect the most specific. But the application has a simple
ordering, first check local-zone, then check forwards, then stubs.

Makes sense, and this is a common design pattern. One way to work
around it would be to return lists of matches and accumulate them
across all tables - none of these lookups would be costly. Then,
take the resulting set sorted by decreasing zone length and by
local/forwards/stubs for equal lengths, then simply use the first
entry.

Is this something worth to consider, or are you saying that the
behaviour is as-is and unlikely to change?

6

I'd definately expect most specific for any configured trust anchor.

Paul

7

Paul Wouters wrote:

I'd definately expect most specific for any configured trust anchor.

Yes it does that separate from the other tables.

Best regards,
   Wouter