Re: unwind ignores 'force' directive for zone home.arpa

[Florian Obser]

On 2023-02-06 14:33 -05, Ryan Kavanagh <r...@rak.ac> wrote:
>>Synopsis:     unwind ignores 'force' directive for home.arpa
>>Category:     system
>>Environment:
>       System      : OpenBSD 7.2
>       Details     : OpenBSD 7.2-current (GENERIC.MP) #1015: Thu Feb  2 
> 06:25:57 MST 2023
>                        
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
>       Architecture: OpenBSD.amd64
>       Machine     : amd64
>>Description:
>         Nameserver 10.0.1.1 provides the zone home.arpa on my network, and I
>         would like unwind to forward requests for home.arpa and its subdomains
>         to 10.0.1.1.
>
>         unwind.conf(5) claims in its last example that I can force unwind(8) 
> to
>         use this forwarder to resolve home.arpa and its subdomains using a
>         stanza 'force forwarder { home.arpa }'.  Unexpectedly, unwind serves
>         libunbound's default static, empty home.arpa zone instead of 
> forwarding
>         the request to the name server. Adding the 'bogus' keyword does not
>         change this behaviour.

Please try this:

diff --git resolver.c resolver.c
index 93ec7b77a98..6131c7ccb95 100644
--- resolver.c
+++ resolver.c
@@ -232,7 +232,7 @@ struct val_neg_cache                *unified_neg_cache;
 int                             dns64_present;
 int                             available_afs = HAVE_IPV4 | HAVE_IPV6;
 
-static const char * const       as112_zones[] = {
+static const char * const       forward_transparent_zones[] = {
        /* RFC1918 */
        "10.in-addr.arpa. transparent",
        "16.172.in-addr.arpa. transparent",
@@ -328,6 +328,9 @@ static const char * const    as112_zones[] = {
 
        /* RFC3849 */
        "8.B.D.0.1.0.0.2.ip6.arpa. transparent"
+
+       /* RFC 8375 */
+       "home.arpa. transparent"
 };
 
 const char      bogus_past[]   = "validation failure <. NS IN>: signature "
@@ -1348,20 +1351,21 @@ create_resolver(enum uw_resolver_type type)
                break;
        }
 
-       /* for the forwarder cases allow AS112 zones */
+       /* for the forwarder cases allow AS112 and special-use zones */
        switch(res->type) {
        case UW_RES_AUTOCONF:
        case UW_RES_ODOT_AUTOCONF:
        case UW_RES_FORWARDER:
        case UW_RES_ODOT_FORWARDER:
        case UW_RES_DOT:
-               for (i = 0; i < nitems(as112_zones); i++) {
+               for (i = 0; i < nitems(forward_transparent_zones); i++) {
                        if((err = ub_ctx_set_option(res->ctx, "local-zone:",
-                           as112_zones[i])) != 0) {
+                           forward_transparent_zones[i])) != 0) {
                                ub_ctx_delete(res->ctx);
                                free(res);
                                log_warnx("error setting local-zone: %s: %s",
-                                   as112_zones[i], ub_strerror(err));
+                                   forward_transparent_zones[i],
+                                   ub_strerror(err));
                                return (NULL);
                        }
                }


-- 
I'm not entirely sure you are real.