Great, further tests has given some successful results: some good/improvement & few bad/unsolved:
Below config file worked on WinXP :-) to resolve such TLDs: '42', 'geek' (1 TLD of OpenNIC), 'ita' (1 TLD of CesidianRoot), 'ovh', 'xn--e1apq' (1 TLD of i-DNS.net). But could not resolve 'bit', 'ti' (1 TLD of New-Nations.net) :-( # BEGIN of service.conf / unbound.conf file # Last Modified 2012-08-27 23:05 # Copyright (C) 2012 Bry8Star. (bry8 star a.t ya hoo d.o.t c om) server: verbosity: 3 statistics-interval: 0 statistics-cumulative: "no" extended-statistics: "no" num-threads: 2 interface: 127.0.0.1 interface: 192.168.0.10 interface: ::1 interface-automatic: "no" port: 53 outgoing-interface: 192.168.0.10 outgoing-range: 400 outgoing-port-permit: 52000-56096 outgoing-port-avoid: "22,25,26,37,53,54,55,67,68,69,80,110,123,135,137,138,139,143,443,445,465,500,587,843,990,912,993,995,1025,1863,1935,2082,2083,2096,2400,4242,4400,4421,4444,4445,4480,4500,4569,5038,5050,5060,5061,5062,5063,5064,5065,5198,5199,5200,5222,5555,5800,5801,5900,5901,6666,6667,6668,6669,7000,7001,7002,7003,7004,7005,7006,7658,7659,7660,7777,8050,8052,8054,8056,8058,8060,8080,8110,8118,8120,8123,8125,8143,8210,8225,8243,8998,9001,9022,9030,9050,9051,9052,9053,9054,9055,9056,9057,9058,9059,9060,9080,10000,15000,15001,15002,15003,15004,16001,16999,20000,20001,25000,26999,30600,31000,32000,36999,50300" outgoing-num-tcp: 8 incoming-num-tcp: 8 so-rcvbuf: 8m so-sndbuf: 8m edns-buffer-size: 4096 msg-buffer-size: 65552 msg-cache-size: 24m msg-cache-slabs: 4 num-queries-per-thread: 200 jostle-timeout: 200 rrset-cache-size: 48m rrset-cache-slabs: 4 cache-min-ttl: 0 cache-max-ttl: 21600 infra-host-ttl: 900 infra-cache-slabs: 4 infra-cache-numhosts: 10000 do-ip4: "yes" do-ip6: "no" # for now do-udp: "yes" do-tcp: "yes" tcp-upstream: "no" do-daemonize: "yes" access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: 127.0.0.0/8 allow access-control: 192.168.0.10/24 allow access-control: ::1 allow logfile: "C:\Program Files\Unbound\unbound.log" use-syslog: "no" log-time-ascii: "yes" log-queries: "no" root-hints: "C:\Program Files\Unbound\named.cache" hide-identity: "yes" hide-version: "yes" identity: "DNS" version: "1.0.0" target-fetch-policy: "3 2 1 1 1 1" harden-short-bufsize: "no" harden-large-queries: "no" harden-glue: "yes" harden-dnssec-stripped: "yes" harden-below-nxdomain: "no" harden-referral-path: "no" use-caps-for-id: "no" unwanted-reply-threshold: 1000 prefetch: "yes" prefetch-key: "yes" rrset-roundrobin: "yes" minimal-responses: "no" module-config: "validator iterator" dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key" # Downloaded from http://ftp.isc.org/www/dlv/dlv.isc.org.key # DLV, DNS Lookaside Validation, for the root auto-trust-anchor-file: "C:\Program Files\Unbound\root.key" #trust-anchor-file: "<filename>" # File with trusted keys for validation. Specify more # than one file with several entries, one file per entry. # Standard DNS Zone file format, with DS, DNSKEY entries. #trusted-keys-file: "<filename>" # File with trusted keys for validation. Specify more # than one file with several entries, one file per entry. # Like trust-anchor-file, but in BIND-9 format. domain-insecure: "42" domain-insecure: "ovh" domain-insecure: "bit" domain-insecure: "ita" domain-insecure: "geek" domain-insecure: "glue" domain-insecure: "xn--e1apq" # Other domain-insecure TLDs # which are inside other AltRootDNS # and does not have DNSSEC record, key yet val-bogus-ttl: 60 val-sig-skew-max: 86400 val-clean-additional: "yes" val-permissive-mode: "no" ignore-cd-flag: "yes" val-log-level: 2 #val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" key-cache-size: 24m key-cache-slabs: 4 neg-cache-size: 4m # Blocking below TLDs local-zone: "onion." refuse # disallow via public route local-zone: "i2p." refuse # suppose to go via proxy route remote-control: control-enable: "no" stub-zone: name: "42" # http://42registry.org/ stub-host: a.42tld-servers.net. # name / DNS Srvr stub-host: b.42tld-servers.net. stub-host: c.42tld-servers.net. stub-host: d.42tld-servers.net. # GeekNode OpenResolvers: stub-addr: 81.93.248.69 stub-addr: 81.93.248.68 stub-addr: 91.194.60.196 stub-addr: 193.17.192.53 # Psilo.fr resolvers: stub-addr: 109.235.51.12 stub-addr: 85.17.236.67 # test above with "search.42" , "nic.42" stub-zone: name: "ovh" # http://ovh.co.uk/ stub-addr: 213.251.128.133 # name / DNS Srvr stub-addr: 213.251.188.133 stub-zone: name: "bit" # http://dot-bit.org , NameCoin stub-host: ns.dot-bit.bit. # name / DNS Srvr stub-addr: 178.32.31.41 # ns.dot-bit.bit stub-addr: 108.174.61.249 stub-addr: 78.47.86.43 stub-addr: 96.127.133.37 stub-addr: 69.194.226.23 stub-addr: 194.71.109.237 stub-addr: 2001:41d0:2:a5d9::101 # ns.dot-bit.bit # test above with "dot-bit.bit" # New-Nations.net has 6 TLDs: (now showing only 1 below) stub-zone: name: "ti" stub-host: ns1.new-nations.ti. stub-host: ns2.new-nations.ti. stub-addr: 88.84.130.20 # ns1.New-Nations.net West Asia stub-addr: 194.50.176.206 # ns2.New-Nations.net West Asia # OpenNIC : http://www.opennicproject.org/ : # 14 TLDs: .geek, .free, .bbs, .parody, .oss, # .indy, .fur, .ing, .micro, .dyn, .neo, # .pirate, gopher and null. # Showing only 2 out of 14 TLD below: stub-zone: name: "geek" stub-host: ns2.opennic.glue. stub-host: ns3.opennic.glue. stub-host: ns4.opennic.glue. stub-host: ns5.opennic.glue. stub-host: ns6.opennic.glue. stub-host: ns7.opennic.glue. stub-host: ns8.opennic.glue. stub-host: ns21.opennic.glue. stub-zone: name: "glue" stub-host: ns2.opennic.glue. stub-host: ns3.opennic.glue. stub-host: ns4.opennic.glue. stub-host: ns5.opennic.glue. stub-host: ns6.opennic.glue. stub-host: ns7.opennic.glue. stub-host: ns8.opennic.glue. stub-host: ns21.opennic.glue. # test above with "grep.geek" # CesidianRoot : http://www.cesidianroot.net/ # Cesidian Root proper has 84 TLDs, # Showing only 1 out 84 TLDs stub-zone: # http://www2.world-dns.net/ name: "ita" stub-host: ns1.cesidio.net. stub-host: ns4.cesidio.net. stub-host: ns9.cesidian.info. # test above with "governo.ita" # i-DNS.net has many multi-linugual supported TLDs # Showing only 1 of the TLD below: stub-zone: # (Russian, Punycode form, .нет or .net) name: "xn--e1apq" stub-host: nsa.i-dns.net. stub-host: nsb.i-dns.net. stub-host: nsc.i-dns.net. stub-host: nsd.i-dns.net. stub-addr: 64.62.142.131 stub-addr: 195.161.113.189 stub-addr: 211.169.245.170 stub-addr: 120.50.44.141 # TLD '42': forward-zone: name: "a.42tld-servers.net" forward-addr: 91.191.147.246 forward-zone: name: "b.42tld-servers.net" forward-addr: 91.191.147.243 forward-zone: name: "c.42tld-servers.net" forward-addr: 79.143.244.68 forward-addr: 2a01:678:fff:42:42:: forward-zone: name: "d.42tld-servers.net" forward-addr: 83.169.77.117 # TLD 'bit': forward-zone: name: "ns.dot-bit.bit" forward-addr: 178.32.31.41 forward-addr: 2001:41d0:2:a5d9::101 # New-Nations.net TLD: forward-zone: name: "ns1.new-nations.ti" forward-addr: 88.84.130.20 forward-zone: name: "ns2.new-nations.ti" forward-addr: 194.50.176.206 # CesidianRoot TLDs: forward-zone: name: "ns1.cesidio.net" forward-addr: 78.47.115.193 forward-zone: name: "ns4.cesidio.net" forward-addr: 78.47.115.196 forward-zone: name: "ns9.cesidian.info" forward-addr: 84.200.208.231 forward-addr: 2001:1608:12:0:7862:ab14:ef56:102 # i-DNS.net TLDs: forward-zone: name: "nsa.i-dns.net" forward-addr: 64.62.142.131 forward-zone: name: "nsb.i-dns.net" forward-addr: 195.161.113.189 forward-zone: name: "nsc.i-dns.net" forward-addr: 211.169.245.170 forward-zone: name: "nsd.i-dns.net" forward-addr: 120.50.44.141 # OpenNIC TLDs: forward-zone: name: "ns2.opennic.glue" forward-addr: 216.87.84.210 forward-addr: 2001:470:8388:10:0:100:53:10 forward-zone: name: "ns21.opennic.glue" forward-addr: 202.83.95.229 forward-zone: name: "ns3.opennic.glue" forward-addr: 199.30.58.57 forward-addr: 2001:470:8ca1::53 forward-zone: name: "ns4.opennic.glue" forward-addr: 84.200.228.200 forward-zone: name: "ns5.opennic.glue" forward-addr: 128.177.28.254 forward-zone: name: "ns6.opennic.glue" forward-addr: 207.192.71.13 forward-addr: 2002:cfc0:470d::1 forward-zone: name: "ns7.opennic.glue" forward-addr: 66.244.95.11 forward-addr: 2001:470:1f10:c6::11 forward-zone: name: "ns8.opennic.glue" forward-addr: 178.63.116.152 forward-addr: 2a01:4f8:110:6221::999 # Default Root Zone TLDs: # forward-zone: # name: "." # forward-addr: i.p.adrs.1 # My ISP # Recursive/Caching # forward-addr: i.p.adrs.2 # My ISP # Recursive/Caching # END of service.conf / unbound.conf file Can anyone help me further to fix mentioned problems in above ? Thanks in advance, Bry8Star. On 8/23/2012 10:47 PM, Bry8 Star wrote: > Here is my config file, please see what is wrong: > > # BEGIN of service.conf / unbound.conf file > server: > verbosity: 3 > statistics-interval: 0 > statistics-cumulative: "no" > extended-statistics: "no" > num-threads: 2 > interface: 127.0.0.1 > interface: 192.168.0.10 > interface: ::1 > interface-automatic: "no" > port: 53 > outgoing-interface: 192.168.0.10 > outgoing-range: 400 > outgoing-port-permit: 52000-56096 > outgoing-port-avoid: > "22,25,26,37,53,54,55,67,68,69,80,110,123,135,137,138,139,143,443,445,465,500,587,843,990,912,993,995,1025,1863,1935,2082,2083,2096,2400,4242,4400,4421,4444,4445,4480,4500,4569,5038,5050,5060,5061,5062,5063,5064,5065,5198,5199,5200,5222,5555,5800,5801,5900,5901,6666,6667,6668,6669,7000,7001,7002,7003,7004,7005,7006,7658,7659,7660,7777,8050,8052,8054,8056,8058,8060,8080,8110,8118,8120,8123,8125,8143,8210,8225,8243,8998,9001,9022,9030,9050,9051,9052,9053,9054,9055,9056,9057,9058,9059,9060,9080,10000,15000,15001,15002,15003,15004,16001,16999,20000,20001,25000,26999,30600,31000,32000,36999,50300" > outgoing-num-tcp: 10 > incoming-num-tcp: 10 > so-rcvbuf: 8m > so-sndbuf: 8m > edns-buffer-size: 4096 > msg-buffer-size: 65552 > msg-cache-size: 24m > msg-cache-slabs: 4 > num-queries-per-thread: 200 > jostle-timeout: 200 > rrset-cache-size: 48m > rrset-cache-slabs: 4 > cache-min-ttl: 0 > cache-max-ttl: 21600 > infra-host-ttl: 900 > infra-cache-slabs: 4 > infra-cache-numhosts: 10000 > do-ip4: "yes" > do-ip6: "no" # for now > do-udp: "yes" > do-tcp: "yes" > tcp-upstream: "no" > do-daemonize: "yes" > access-control: 0.0.0.0/0 refuse > access-control: ::0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: 192.168.0.10/24 allow > access-control: ::1 allow > logfile: "C:\Program Files\Unbound\unbound.log" > use-syslog: "no" > log-time-ascii: "yes" > log-queries: "no" > root-hints: "C:\Program Files\Unbound\named.cache" > hide-identity: "yes" > hide-version: "yes" > identity: "DNS" > version: "1.0.0" > target-fetch-policy: "3 2 1 1 1 1" > harden-short-bufsize: "no" > harden-large-queries: "no" > harden-glue: "yes" > harden-dnssec-stripped: "yes" > harden-below-nxdomain: "no" > harden-referral-path: "no" > use-caps-for-id: "no" > unwanted-reply-threshold: 1000 > prefetch: "yes" > prefetch-key: "yes" > rrset-roundrobin: "yes" > minimal-responses: "no" > module-config: "validator iterator" > dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key" > # Downloaded from http://ftp.isc.org/www/dlv/dlv.isc.org.key > # DLV, DNS Lookaside Validation, for the root > auto-trust-anchor-file: "C:\Program Files\Unbound\root.key" > #trust-anchor-file: "<filename>" > # File with trusted keys for validation. Specify more > # than one file with several entries, one file per entry. > # Standard DNS Zone file format, with DS, DNSKEY entries. > #trusted-keys-file: "<filename>" > # File with trusted keys for validation. Specify more > # than one file with several entries, one file per entry. > # Like trust-anchor-file, but in BIND-9 format. > domain-insecure: "42" > domain-insecure: "ovh" > domain-insecure: "bit" > domain-insecure: "ita" > domain-insecure: "geek" > # other TLDs that are inside other AltRootDNS > val-bogus-ttl: 60 > val-sig-skew-max: 86400 > val-clean-additional: "yes" > val-permissive-mode: "no" > ignore-cd-flag: "yes" > val-log-level: 2 > #val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" > key-cache-size: 24m > key-cache-slabs: 4 > neg-cache-size: 4m > local-zone: "onion." refuse # disallow via public route > local-zone: "i2p." refuse # suppose to go via proxy route > remote-control: > control-enable: "no" > stub-zone: > name: "42" # http://42registry.org/ > stub-addr: 91.191.147.246 # name / DNS Srvr > stub-addr: 91.191.147.243 > stub-addr: 79.143.244.68 > # test with "search.42" > stub-zone: > name: "ovh" # http://ovh.co.uk/ > stub-addr: 213.251.128.133 # name / DNS Srvr > stub-addr: 213.251.188.133 > stub-zone: > name: "bit" # http://dot-bit.org > stub-addr: 178.32.31.41 # name / DNS Srvr > stub-addr: 108.174.61.249 > stub-addr: 78.47.86.43 > stub-addr: 96.127.133.37 > stub-addr: 69.194.226.23 > stub-addr: 194.71.109.237 > # test with "dot-bit.bit" > # OpenNIC : http://www.opennicproject.org/ : > # TLDs: .geek, .free, .bbs, .parody, .oss, > # .indy, .fur, .ing, .micro, .dyn, .neo, > # .pirate, gopher and null. > stub-zone: > name: "opennicproj-rtDnsSrvr-randNum01.com" > stub-addr: 66.244.95.20 # name / DNS Srvr > stub-addr: 74.207.247.4 > stub-addr: 216.87.84.211 > stub-addr: 66.90.81.200 > stub-addr: 94.23.246.31 > stub-addr: 95.142.171.235 > stub-addr: 82.237.169.10 > stub-addr: 202.83.95.227 > stub-addr: 58.6.115.42 > stub-prime: no > stub-first: no > stub-zone: > name: "geek" > stub-host: "ns.opennicproj-rtDnsSrvr-randNum01.com" > # test with "grep.geek" > # ... around 14 OpenNIC TLDs > # CesidianRoot : http://www.cesidianroot.net/ > # Cesidian Root proper (84 TLDs), they also resolve > # other Alt Root DNS's TLDs > stub-zone: # http://www2.world-dns.net/ > name: "cesidianroot-dnsSrvr-randNum02.net" > stub-addr: 178.254.3.55 # name/DNS server > stub-addr: 50.77.217.162 > stub-addr: 199.193.252.198 > stub-addr: 78.47.115.194 > stub-addr: 78.47.115.197 > stub-addr: 122.155.6.181 > stub-addr: 182.163.74.213 > stub-addr: 116.90.134.19 > stub-addr: 200.58.125.62 > stub-addr: 196.41.137.142 > stub-zone: > name: "ita" > stub-host: "ns.cesidianroot-dnsSrvr-randNum02.net" > # test with "governo.ita" > # ... around 84 CesidinaRoot TLDs > forward-zone: > name: "." > forward-addr: i.p.adrs.1 # AT&T ISP # Recursive/Caching > forward-addr: i.p.adrs.2 # AT&T ISP # Recursive/Caching > # END of service.conf / unbound.conf file > > i can at least (inconsistently) do ping or nslookup or dig on test sites > in 42, ovh, bit TLDs, > but, could not do so for test sites in TLDs like geek, ita. > > Thanks for your help in advance, > Bry8Star. > > > > On 8/22/2012 9:20 PM, Bry8 Star wrote: >> Hi, >> There are many other Root servers other than ICANN Root servers. For >> example: CesidianRoot (http://www.cesidianroot.net/), OpenNIC >> (http://www.opennicproject.org/), New Nations (New-Nations.net), >> Namecoin DNS (DotBIT project, bit DNS) (http://dot-bit.org), 42 >> (http://42registry.org/), OVH (http://ovh.co.uk/), i-DNS (MultiLingual >> DNS) (i-dns.net), Public-Root ( http://public-root.com), UnifiedRoot >> (unifiedroot.com), etc. >> >> How can i integrate all into one Unbound or into a central Unbound ? to >> use their all TLDs, which are not found in default ICANN/IANA root servers. >> >> For example, i had to add these in unbound.conf/service.conf for '42' TLD: >> >> domain-insecure: "42" >> stub-zone: >> name: "42" >> stub-addr: 91.191.147.246 # 42Registry a.42tld-servers.net europe >> stub-addr: 91.191.147.243 # 42Registry b.42tld-servers.net europe >> stub-addr: 79.143.244.68 # 42Registry c.42tld-servers.net europe >> >> now with the above 6 lines, i could not ping or browse the website at >> "search.42" :( but 'dig', 'nslookup' does resolve/show successfully ns, >> a , etc records. >> i tried "dig 42. any +dnssec", but flag does not show 'ad' bit, only >> shows 'qr rd ra'. answer does show 'SOA' with "a.42tld-servers.net. >> tech.42registry.org.", and 4 'NS' shows "a/b/c/d.42tld-servers.net.". >> >> so what is/are wrong ? >> if 42 TLD supports/has DNSSEC components, then how can i use them ? or >> how to enable DNSSEC for 42 TLD ? >> >> Similar like above, i added domain-insecure and stub-zone for .bit TLD >> in 'unbound.conf' / 'service.conf' file. The 'ping', 'nslookup', 'dig' >> etc worked on the http://dot-bit.bit/ site/host/domain. :) >> >> The CesidianRoot proper, root dns server/system, has at least 84 TLDs of >> their own. And they can also resolve other TLDs from other root dns >> servers. >> i added all of them (cesidianRoot and other root's TLDs) in this way, >> i'm showing only few TLD example instead of all 84 TLDs here: >> >> domain-insecure: "5wc" >> domain-insecure: "cesidio" >> domain-insecure: "linna" >> domain-insecure: "free" >> ... >> stub-zone: >> name: "cesidianroot-dnsSrv-randNum1.net" >> stub-addr: 178.254.3.55 # Master CesidianRoot.net Root Server >> stub-addr: 50.77.217.162 # CesidianRoot.net North America >> stub-addr: 199.193.252.198 # CesidianRoot.net North America >> stub-addr: 78.47.115.194 # CesidianRoot.net Europe >> stub-addr: 78.47.115.197 # CesidianRoot.net Europe >> stub-addr: 122.155.6.181 # CesidianRoot.net South-East Asia >> stub-addr: 182.163.74.213 # CesidianRoot.net South-East Asia >> stub-addr: 116.90.134.19 # CesidianRoot.net Australia & Ocenia >> stub-addr: 200.58.125.62 # CesidianRoot.net South America >> stub-addr: 196.41.137.142 # CesidianRoot.net Sub-Saharan Africa >> stub-zone: >> name: "5wc" >> stub-host: "ns.cesidianroot-dnsSrv-randNum1.net" >> stub-zone: >> name: "cesidio" >> stub-host: "ns.cesidianroot-dnsSrv-randNum1.net" >> stub-zone: >> name: "linna" >> stub-host: "ns.cesidianroot-dnsSrv-randNum1.net" >> stub-zone: >> name: "free" >> stub-host: "ns.cesidianroot-dnsSrv-randNum1.net" >> ... >> >> but when i tried to do ping/nslookup/dig on any TLD randomly from >> CesidianRoot, then none of the tool worked. ! :( :-( >> >> What is/are wrong ? i used this "cesidianroot-dnsSrv-randNum1.net" >> domain-name because such does not exist in real-life. do i need to >> define/declare 'ns' & 'cesidianroot-dnsSrv-randNum1.net' which are used >> in stub-host : "ns.cesidianroot-dnsSrv-randNum1.net" line ? >> >> And please help me to have a solution, where i dont have to use those 10 >> stub-addr dns server of CesidianRoot for all of those 84 TLDs for 84 >> times, then it will become at least 11 x 84 lines of codes ! how can i >> reduce line numbers ? >> >> if cesidianroot TLDs supports/has DNSSEC components/records, then how >> can i use them or how to enable DNSSEC for CesidianRoot ? >> >> CesidianRoot can also resolve TLDs authoritatively maintained by >> New-Nations.net root system, and i-DNS.net Root system. All of those >> TLDs are currently using 'ns.cesidianroot-dnsSrv-randNum1.net' as >> stub-host currently in 'service.conf' / 'unbound.conf' file. Since >> CesidinaRoot is not SOA / AA / DS of New-Nations.net & i-DNS.net TLDs, >> am i suppose to change the stub-host of those TLDs from >> 'ns.cesidianroot-dnsSrv-randNum1.net' into >> 'ns.new-nations-net-dnsSrv-randNum1.net' / >> 'ns.i-dns-net-dnsSrv-randNum1.net' ? >> >> if i could use CesidianRoot with DNSSEC via unbound (along with the >> default ICANN provided TLDs), then i could apply similar method/approach >> for other root dns server, which are similar. >> >> by the way, your irc channel #unbound in irc.freenode.net is very >> in-active, and some users who did post some messages, instead of helping >> out, they question the 'question' ! or question the 'user' who is >> posting the question or asking for help ! instead of asking more about >> the problem itself, and what can be done to solve it ! very unfriendly >> attitudes. Most likely these users does not like to help others, or >> grumpy, or busy with something else, or expecting something else from users. >> >> in website, please add sha1, sha256 hash/checksum of windows binary >> files, thanks. >> >> Thanks for your all help. >> ~ Bry8Star. >> _______________________________________________ >> Unbound-users mailing list >> [email protected] >> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
