On 07/06/2012 04:45 PM, W.C.A. Wijngaards wrote: >>>> So unbound asks dnsmasq for the address of "myhost.lan" as it >>>> is instructed by forward-zone, gets correct result (!), but >>>> then marks it bogus because it cannot establish trust chain. >>> >>> You'll need >>> >>> private-domain: "lan." domain-insecure: "lan." > >> Wow, that was fast! After also adding "do-not-query-localhost: no" >> (and 'local-zone: "168.192.in-addr.arpa" nodefault' for the reverse >> zone) it all worked! > >> Thanks a lot! > >> Any chance to make these sort of tricks more apparent in the >> documentation? > > Where in the documentation have you been looking, i.e. does it make > sense to add some text to help out?
I was reading unbound.conf(5) because there is no relevant doc in the Guides section. I'd say, a separate "HowTo Configure Forward For Local Zones" document would be ideal for my particular case. Or, spray hints in the unbound.conf manpage like so: - In the description of "forward-zone" and "stub-zone" mention that: + if this is a local zone that does not have a DS in the parent zone, you must list the name as "domain-insecure", + if it may contain private addresses, then also in "private-domain" + if it is a reverse zone for private address range, the zone needs to be configured "local-zone: <zone.in-addr-arpa> nodefault" - In the description of "forward-addr" note that if you specify loopback address you should also add "do-not-query-localhost: no" I think a separate HowTo might be better because this is a relatively common setup, so many would benefit, and on the other hand the manpage is rather long and dense already. I could knock up a short doc, shall I try? Regards, Eugene
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
