Hello,
the RFC 6761 give some advise how caching DNS servers SHOULD
handle queries for reserved domains. Mostly it say
"do not send queries to the root name servers"
... point 4 in any case ...
http://tools.ietf.org/html/rfc6761#section-6.2 ( domain "test." )
http://tools.ietf.org/html/rfc6761#section-6.4 ( domain "invalid." )
looks like unbound don't follow that "SHOULD" recommendations.
it this a miss-configuration on my side ?
my unbound.conf:
server:
ip-address: ::1
chroot: /chroot/unbound
do-daemonize: no
val-log-level: 2
trust-anchor: ". DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
# other options
adding local-zone statements make unbound fixes the "un-conformance" here.
server:
local-zone: "test." static
local-zone: "invalid." static
Andreas
I am also curious why these domains are not handled specially by Unbound
as RFC 6761 recommends. Interestingly, BIND has the exact same behavior
as Unbound for these two domains. (See https://bugs.debian.org/55032
for details.)
Hi, Wouter:
I would guess that the .test and .invalid zones are much less used in
private networks than the .in-addr.arpa ones, so much less likely to be
a FAQ. And most of the code to setup default empty zones has been
written already.
Here are the caching DNS considerations for the zones that Unbound
currently doesn't handle:
[ "test." ]
Caching DNS servers SHOULD recognize test names as special and
SHOULD NOT, by default, attempt to look up NS records for them,
or otherwise query authoritative DNS servers in an attempt to
resolve test names. Instead, caching DNS servers SHOULD, by
default, generate immediate negative responses for all such
queries. This is to avoid unnecessary load on the root name
servers and other name servers. Caching DNS servers SHOULD offer
a configuration option (disabled by default) to enable upstream
resolving of test names, for use in networks where test names are
known to be handled by an authoritative DNS server in said
private network.
[ "invalid." ]
Caching DNS servers SHOULD recognize "invalid" names as special
and SHOULD NOT attempt to look up NS records for them, or
otherwise query authoritative DNS servers in an attempt to
resolve "invalid" names. Instead, caching DNS servers SHOULD
generate immediate NXDOMAIN responses for all such queries. This
is to avoid unnecessary load on the root name servers and other
name servers.
[ "onion." ]
Caching DNS Servers: Caching servers, where not explicitly
adapted to interoperate with Tor, SHOULD NOT attempt to look up
records for .onion names. They MUST generate NXDOMAIN for all
such queries.
I notice the .onion Special-Use registration has a MUST while the other
two only have SHOULDs.
Probably there will be a few more additions to the Special-Use Domain
Names registry, and even if they only generate a trivial amount of root
server load now, that means it's easy to prevent them from becoming a
problem later 
While I don't see much harm in test and valid, there is a stronger case
for onion not to leak out. I hope upstream will block it per default.
If not, I might add a conf file to do so in the default unbound
configuration for Fedora.
Paul