Problems with reverse lookup of RFC1918 zones

Dag-Erling_Smørgrav · May 26, 2014, 9:48pm

I'm testing a version of the unblock-lan-zones patch backported to
1.4.22 (thanks Wouter!).

unbound.conf used for testing:

server:
        username: unbound
        directory: "/var/unbound"
        chroot: "/var/unbound"
        pidfile: "/var/run/local_unbound.pid"
        auto-trust-anchor-file: "/var/unbound/root.key"
        unblock-lan-zones: yes
        use-syslog: no

forward-zone:
        name: .
        forward-addr: 192.168.144.1

192.168.144.1 runs unbound with a few private zones:

% drill @192.168.144.1 nine.des.no A | grep '^[^;]'
nine.des.no. 3600 IN A 192.168.144.9
% drill @192.168.144.1 9.144.168.192.in-addr.arpa. PTR | grep '^[^;]'
9.144.168.192.in-addr.arpa. 3600 IN PTR nine.des.no.

Querying through local unbound without unblock-lan-zones, I get
NXDOMAIN:

% host 192.168.144.9
Host 9.144.168.192.in-addr.arpa not found: 3(NXDOMAIN)

With unblock-lan-zones, I get SERVFAIL after a brief delay:

% host 192.168.144.9
Host 9.144.168.192.in-addr.arpa not found: 2(SERVFAIL)

(the local unbound instance is running in debug mode, log beneath my
signature)

What I think is happening is that unbound rejects the answer as
fraudulent because a higher level in the domain hierarchy is signed and
has NSEC3 data indicating that it is empty.

BTW, when I try to check whether 168.192.in-addr.arpa. is signed (using
dig this time on a completely different computer) sometimes it is and
sometimes it isn't:

% dig +noall +answer 168.192.in-addr.arpa. any
168.192.in-addr.arpa. 9431 IN RRSIG NSEC 5 4 10800 20140605200133 20140526200133 22802 192.in-addr.arpa. ebIt5zFsTTQU9QltAZN3KfIIJX245QjwqdMaFOSyGTwdMV4DsZKtQZxU ssQ67K4agzs4raXvdayHALwzBmmxg4VXTnKBulTGwQRpxuB7eJgtlgn8 eJaIo+FcUAUYJMhZ6m8CWQqft93YQCgREFLxVeMiTAjSY3o5yurKraee ylU=
168.192.in-addr.arpa. 9431 IN NSEC 0.169.192.in-addr.arpa. NS RRSIG NSEC
168.192.in-addr.arpa. 85031 IN NS blackhole-2.iana.org.
168.192.in-addr.arpa. 85031 IN NS blackhole-1.iana.org.
168.192.in-addr.arpa. 135164 IN SOA prisoner.iana.org. hostmaster.neva.ru. 1 604800 60 604800 604800
% dig +noall +answer 168.192.in-addr.arpa. any
168.192.in-addr.arpa. 84736 IN NS blackhole-2.iana.org.
168.192.in-addr.arpa. 84736 IN NS blackhole-1.iana.org.
168.192.in-addr.arpa. 134869 IN SOA prisoner.iana.org. hostmaster.neva.ru. 1 604800 60 604800 604800

How do I work around this (short of asking ICANN politely to get their
shit together and allow 168.192.in-addr.arpa. to be non-empty)?

DES