rDNS for fd::/8

Mike1 · March 27, 2013, 4:14pm

My unbound config file is:

Arni_Birgisson · March 27, 2013, 4:33pm

This might be because of the default local-data in unbound for RFC4193 addresses.

http://www.unbound.net/documentation/unbound.conf.html (ctrl-F RFC4193)

If that is the cause, you can remove it with

                   local-zone: D.F.ip6.arpa. nodefault

– Arni

Arni Birgisson
Professional Services
Men & Mice
Hlidarsmari 15, IS-201, Kopavogur, Iceland
Phone: +354 412 1500
Email: arnib@menandmice.com
www.menandmice.com

First Choice in IP Address Management

Men & Mice Blog | Follow us on Twitter | Men & Mice on Facebook

Disclaimer : www.menandmice.com/disclaimer

Arni_Birgisson · March 27, 2013, 4:34pm

Oops - a little bit to quick to hit reply.
Didn’t see that in your current config.

–Arni

Mike1 · March 27, 2013, 5:29pm

My unbound config file is:

-------------------------------------
server:
verbosity: 1

statistics-interval: 84600
statistics-cumulative: yes
extended-statistics: yes

interface: 10.20.1.1
interface: 127.0.0.1
interface: fdcf:b715:2f4d:1::1
interface: ::1

access-control: 0.0.0.0/0 refuse
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.1 allow

access-control: ::0/0 refuse
access-control: fdcf:b715:2f4d:1::/64 allow
access-control: fe80::/64 allow
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
access-control: 2001:xxxx:xxxx:1::/64 allow

cache-min-ttl: 0

root-hints: "/var/unbound/etc/named.cache"

# auto-trust-anchor-file: "/var/unbound/etc/root.key"

domain-insecure: "241acl.lan"

local-zone: "10.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault

stub-zone:
name: "241acl.lan"
stub-addr: fdcf:b715:2f4d:3::1

stub-zone:
name: "10.in-addr.arpa"
stub-addr: fdcf:b715:2f4d:3::1

stub-zone:
name: "d.f.ip6.arpa"
stub-addr: fdcf:b715:2f4d:3::1

remote-control:
control-enable: yes
control-interface: ::1

-----------------------------------------

and I am running unbound 1.4.17 on OpenBSD 5.2.

With the config file as above, all forward and reverse DNS lookups

work

fine. However, when I uncomment the auto-trust-anchor-file, then the
rDNS look ups for fd::/8 addresses stop working. Increasing log
verbosity, it looks like unbound is traipsing to the root servers
looking for a DNSSEC key and not finding one. Then the rDNS request

is

Joe_Abley · March 27, 2013, 6:29pm

The delegation to 10.in-addr.arpa is insecure:

[krill:~]% dig @a.in-addr-servers.arpa 10.in-addr.arpa soa +dnssec +norec

; <<>> DiG 9.8.3-P1 <<>> @a.in-addr-servers.arpa 10.in-addr.arpa soa +dnssec +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37726
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;10.in-addr.arpa. IN SOA

;; AUTHORITY SECTION:
10.in-addr.arpa. 86400 IN NS blackhole-1.iana.org.
10.in-addr.arpa. 86400 IN NS blackhole-2.iana.org.
10.in-addr.arpa. 3600 IN NSEC 100.in-addr.arpa. NS RRSIG NSEC
10.in-addr.arpa. 3600 IN RRSIG NSEC 8 3 3600 20130403190610 20130327152523 30304 in-addr.arpa. jEbmL7O2Lsot3L8DZwEgZqik7Xpdh1uoVyAykVrxiP9TqCEN013oDiPn WzEaGccs3sPv3nrZpYJEfe9107N3cjgmfGNUy08g+l1FZQbQQC5dg5p/ KtFuOKp4AQZ0o/RS5+XXuWxxLHXMJPwQRi0HrXRJEHXLmvJ94YD2XvHb OlU=

;; Query time: 94 msec
;; SERVER: 2001:500:13::73#53(2001:500:13::73)
;; WHEN: Wed Mar 27 14:26:59 2013
;; MSG SIZE rcvd: 314

[krill:~]%

There *is* no delegation for d.f.ip6.arpa:

[krill:~]% dig @a.ip6-servers.arpa d.f.ip6.arpa soa +dnssec +norec

; <<>> DiG 9.8.3-P1 <<>> @a.ip6-servers.arpa d.f.ip6.arpa soa +dnssec +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26488
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;d.f.ip6.arpa. IN SOA

;; AUTHORITY SECTION:
ip6.arpa. 0 IN SOA b.ip6-servers.arpa. hostmaster.icann.org. 2011027460 1800 900 604800 3600
ip6.arpa. 0 IN RRSIG SOA 8 2 3600 20130403195609 20130327152714 17280 ip6.arpa. GfYP2Q+e3c+MDWcS9U2ZQYpUexHO9yHqHIT0S530UG2f2CHGfyGEyG+k VsGfV+Naq5uDLVcVeG6Nudajuj8GSOW3mKJQyXavyOBbA4lP5cZyiZBg UVm434fYw5gwA+IUrq+qxpaA0VFfFJ1Xv2ZeF4fK2kEyVD4KGjB7UPMI 09c=
ip6.arpa. 3600 IN NSEC 2.0.1.0.0.2.ip6.arpa. NS SOA RRSIG NSEC DNSKEY
ip6.arpa. 3600 IN RRSIG NSEC 8 2 3600 20130403182935 20130327152714 17280 ip6.arpa. HvZL9ih3EiUZDEGMbMoKsDPYlm1sFqnZFuliiYXNA1KsBASzQ/IoKksm bc1XBDJua9zMNcMSbyzJLEocJ+cpvhxQ8Qof5w2ECoxNcNAspJsiqiwd 32v5YIojPPWIEvz9BnsGBvM0nccR+Gm6AqMpes+WvuJdwRaIIk9Cz+2v icY=
0.c.2.ip6.arpa. 3600 IN NSEC ip6.arpa. NS DS RRSIG NSEC
0.c.2.ip6.arpa. 3600 IN RRSIG NSEC 8 5 3600 20130404010822 20130327152714 17280 ip6.arpa. enGDPcIFsYEx9X+xX1kFdeaSqQwBdqEQn+4b2PVKGmIdfGVXSjuNp7AH hS5mNUDzCorN5Br6Jm7K9l6uOT08agZvAPQViN6e1r2S+VH5nxWvmg+0 nSUgYIZeKfP8xBJYoHwPahyvP/zvUvw4KpUg28js/gSFGGjqTcHZLyVB ecQ=

;; Query time: 96 msec
;; SERVER: 2001:500:13::73#53(2001:500:13::73)
;; WHEN: Wed Mar 27 14:27:58 2013
;; MSG SIZE rcvd: 692

[krill:~]%

Your local data for d.f.ip6.arpa is conflicting with the signed non-existence of those names in the ip6.arpa zone.

This does not happen with 10.in-addr.arpa because your validator knows that zone is insecure anyway.

Joe