Say you use unbound(8) as a validating resolver. And you use IPv6
ULA private address space on your network and you have configured
stub zones in unbound(8) to resolve your private host names.
Name resolution works fine, but reverse resolution does not. WTF?
To save you the hours I wasted on this, here are two things you
need to know:
1. By default, unbound(8) internally returns NXDOMAIN for a number
of reverse DNS zones for private and reserved addresses. This
includes d.f.ip6.arpa. It's actually mentioned in the unbound.conf(5)
man page. So if you use fdxx:xxxx:xxxx::/48, you want to add
local-zone: "x.x.x.x.x.x.x.x.x.x.d.f.ip6.arpa." transparent
to your unbound.conf(5).
2. If you have DNSSEC validation enabled, reverse resolution still
fails. At a sufficient verbosity level, unbound(8) says:
Could not establish a chain of trust to keys for f.ip6.arpa. DNSKEY IN
It greatly helps to add a negative trust anchor for the ULA space
to unbound.conf(5):
domain-insecure: "d.f.ip6.arpa."
PS:
Since we're talking about ULA space, the way to generate the digits
for your unique prefix is this: openssl rand -hex 5
Ignore the RFC 4193 algorithm. It is intended for people that don't
have randomness.
--
Christian "naddy" Weisgerber [email protected]
