private ipv6 address space

Stephane_Guedon · August 1, 2017, 8:16am

Good (insert your locale time of the day) all members of this list.

I have a trouble with my instance of Unbound (OpenBSD 6.1 stable) with private ipv6 space.

I have a local dns resolver/cache (Dnsmasq) which works perfect on my router. The Unbound instance is supposed to redirect all dns requests regarding private domains and address space to it:

private-address: fd00:2016:22::/48

access-control: ::0/0 refuse
access-control: ::1/128 allow
access-control: fd00:2016:22::/48 allow

local-zone: “2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa.” nodefault

domain-insecure: “22decembre.eu.”
domain-insecure: “22december.dk.”
domain-insecure: “2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa.”

stub-zone:
name: “22decembre.eu.”
stub-addr: “fd00:2016:22:dec::1”

stub-zone:
name: “22december.dk.”
stub-addr: “fd00:2016:22:dec::1”

stub-zone:
name: “d.f.ip6.arpa.”
stub-addr: “fd00:2016:22:dec::1”

stub-zone:
name: “2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa.”
stub-addr: “fd00:2016:22:dec::1”

#domain-insecure: “6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa.”
#local-zone: “6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa.”
stub-zone:
name: “6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa.”
stub-addr: “fd00:2016:22:dec::1”

(In the begining - aka before two days ago - I used forward zones pointing at fd00:2016:22:dec::1 aka dnsmasq and the whole thing worked smoothly as intended. It does not anymore and I tried to upgrade my conf according to the manual and my understanding is that this conf’ is supposed to be done with stub-zones.)

But apparently, whenever I send request on 22decembre.eu or 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. I get blocked :

; <<>> DiG 9.4.2-P2 <<>> @unbound mirror.22decembre.eu
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6329
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mirror.22decembre.eu. IN A

;; Query time: 3 msec
;; SERVER: fd00:2016:22:dec::3#53(fd00:2016:22:dec::3)
;; WHEN: Tue Aug 1 10:10:01 2017
;; MSG SIZE rcvd: 38

stephane@blackblock:/home/stephane dig -t ptr @unbound 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa.

; <<>> DiG 9.4.2-P2 <<>> -t ptr @unbound 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46873
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. IN PTR

;; AUTHORITY SECTION:
d.f.ip6.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800

Can anyone tell me what mistake(s) I make ? Thank you in advance.

Eric_Luehrsen1 · August 1, 2017, 4:29pm

dnsmasq is a forwarding resolver and you need “forward” clauses instead of “stub” clauses. As you know its similar user configuration syntax, but different communication behaviors. “Stub” is a short cut to an authoritative server. Also, dnsmasq compiled with authoritative conditional compile options can pretend but it has limited function.

Wouter · August 2, 2017, 6:46am

Hi,

Also,
local-zone: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." nodefault
has to be d.f.ip6.arpa nodefault, to disable the default zone that is
upwards from your private zone.

Best regards, Wouter

Stephane_Guedon · August 2, 2017, 8:31am

I answer in order to give the solution to those in need, as I found it.

I needed to have :

private-domain: "22decembre.eu."

So my domain can have private address (10.0.0.0/8 and fd00:2016...).