Servers for local zones that are not signed

Eugene_Crosser · July 6, 2012, 11:08am

Hello all,

sorry if this was discussed already, I could not find the answer.

I am trying to configure unbound (1.4.5, running on openwrt) to resolve local
zones ("lan." and "168.192.in-addr.arpa.") from another DNS server that has them
(in my case, dnsmasq: I want DHCP names resolved in the .lan zone).

I configured "the other DNS server" to bind to non-standard port (5553) and put
this into unbound.conf:

forward-zone:
name: "lan."
forward-addr: 127.0.0.1@5553

(I also tried "stub-zone:" with "stub-addr:"). Now I am trying to resolve
"myhost.lan" which is registered in dnsmasq (I can get the address if I ask "dig
-p 5553 myhost.lan @<openwrt-ip-addr>"). But resolving through unbound does not
work because unbound tries to obtain the DS for "lan." from the root
nameservers. _If_ it got NODATA, everything would have been OK, I would get an
"insecure" (without 'ad') answer as from normal non-dnssec zones. But obviously
the root servers answer with NXDOMAIN. So unbound asks dnsmasq for the address
of "myhost.lan" as it is instructed by forward-zone, gets correct result (!),
but then marks it bogus because it cannot establish trust chain.

As I understand, unbound should not try to get DS from the parent of a zone that
is configured as "forward" or "stub": if it is by definition "local" then there
is no point in asking the "global authorities" to certify for it. If your local
zones _are_ signed, you should be able to add 'local-data "lan. DS ....."' but
if they are _not_ signed, the resolver should behave as if the DS query returned
NODATA.

Am I missing something?
Is unbound missing something?
Is there a workaround?

Thanks,

Eugene

Jan-Piet_Mens1 · July 6, 2012, 11:33am

So unbound asks dnsmasq for the address
of "myhost.lan" as it is instructed by forward-zone, gets correct result (!),
but then marks it bogus because it cannot establish trust chain.

You'll need

private-domain: "lan."
domain-insecure: "lan."

Regards,

-JP

Eugene_Crosser · July 6, 2012, 12:25pm

Wow, that was fast!
After also adding "do-not-query-localhost: no" (and 'local-zone:
"168.192.in-addr.arpa" nodefault' for the reverse zone) it all worked!

Thanks a lot!

Any chance to make these sort of tricks more apparent in the documentation?

Eugene

Wouter · July 6, 2012, 12:45pm

Hi Eugene,

Eugene_Crosser · July 6, 2012, 1:13pm

I was reading unbound.conf(5) because there is no relevant doc in the Guides
section. I'd say, a separate "HowTo Configure Forward For Local Zones" document
would be ideal for my particular case. Or, spray hints in the unbound.conf
manpage like so:

- In the description of "forward-zone" and "stub-zone" mention that:
+ if this is a local zone that does not have a DS in the parent zone, you must
list the name as "domain-insecure",
+ if it may contain private addresses, then also in "private-domain"
+ if it is a reverse zone for private address range, the zone needs to be
configured "local-zone: <zone.in-addr-arpa> nodefault"
- In the description of "forward-addr" note that if you specify loopback address
you should also add "do-not-query-localhost: no"

I think a separate HowTo might be better because this is a relatively common
setup, so many would benefit, and on the other hand the manpage is rather long
and dense already. I could knock up a short doc, shall I try?

Regards,

Eugene