On 2013-03-27, at 13:29, Mike. <[email protected]> wrote: > So then my question becomes --- in order for rDNS to work, why do I > need domain-insecure for d.f.ip6.arpa and not for 10.in-addr.arpa?
The delegation to 10.in-addr.arpa is insecure: [krill:~]% dig @a.in-addr-servers.arpa 10.in-addr.arpa soa +dnssec +norec ; <<>> DiG 9.8.3-P1 <<>> @a.in-addr-servers.arpa 10.in-addr.arpa soa +dnssec +norec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37726 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;10.in-addr.arpa. IN SOA ;; AUTHORITY SECTION: 10.in-addr.arpa. 86400 IN NS blackhole-1.iana.org. 10.in-addr.arpa. 86400 IN NS blackhole-2.iana.org. 10.in-addr.arpa. 3600 IN NSEC 100.in-addr.arpa. NS RRSIG NSEC 10.in-addr.arpa. 3600 IN RRSIG NSEC 8 3 3600 20130403190610 20130327152523 30304 in-addr.arpa. jEbmL7O2Lsot3L8DZwEgZqik7Xpdh1uoVyAykVrxiP9TqCEN013oDiPn WzEaGccs3sPv3nrZpYJEfe9107N3cjgmfGNUy08g+l1FZQbQQC5dg5p/ KtFuOKp4AQZ0o/RS5+XXuWxxLHXMJPwQRi0HrXRJEHXLmvJ94YD2XvHb OlU= ;; Query time: 94 msec ;; SERVER: 2001:500:13::73#53(2001:500:13::73) ;; WHEN: Wed Mar 27 14:26:59 2013 ;; MSG SIZE rcvd: 314 [krill:~]% There *is* no delegation for d.f.ip6.arpa: [krill:~]% dig @a.ip6-servers.arpa d.f.ip6.arpa soa +dnssec +norec ; <<>> DiG 9.8.3-P1 <<>> @a.ip6-servers.arpa d.f.ip6.arpa soa +dnssec +norec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26488 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;d.f.ip6.arpa. IN SOA ;; AUTHORITY SECTION: ip6.arpa. 0 IN SOA b.ip6-servers.arpa. hostmaster.icann.org. 2011027460 1800 900 604800 3600 ip6.arpa. 0 IN RRSIG SOA 8 2 3600 20130403195609 20130327152714 17280 ip6.arpa. GfYP2Q+e3c+MDWcS9U2ZQYpUexHO9yHqHIT0S530UG2f2CHGfyGEyG+k VsGfV+Naq5uDLVcVeG6Nudajuj8GSOW3mKJQyXavyOBbA4lP5cZyiZBg UVm434fYw5gwA+IUrq+qxpaA0VFfFJ1Xv2ZeF4fK2kEyVD4KGjB7UPMI 09c= ip6.arpa. 3600 IN NSEC 2.0.1.0.0.2.ip6.arpa. NS SOA RRSIG NSEC DNSKEY ip6.arpa. 3600 IN RRSIG NSEC 8 2 3600 20130403182935 20130327152714 17280 ip6.arpa. HvZL9ih3EiUZDEGMbMoKsDPYlm1sFqnZFuliiYXNA1KsBASzQ/IoKksm bc1XBDJua9zMNcMSbyzJLEocJ+cpvhxQ8Qof5w2ECoxNcNAspJsiqiwd 32v5YIojPPWIEvz9BnsGBvM0nccR+Gm6AqMpes+WvuJdwRaIIk9Cz+2v icY= 0.c.2.ip6.arpa. 3600 IN NSEC ip6.arpa. NS DS RRSIG NSEC 0.c.2.ip6.arpa. 3600 IN RRSIG NSEC 8 5 3600 20130404010822 20130327152714 17280 ip6.arpa. enGDPcIFsYEx9X+xX1kFdeaSqQwBdqEQn+4b2PVKGmIdfGVXSjuNp7AH hS5mNUDzCorN5Br6Jm7K9l6uOT08agZvAPQViN6e1r2S+VH5nxWvmg+0 nSUgYIZeKfP8xBJYoHwPahyvP/zvUvw4KpUg28js/gSFGGjqTcHZLyVB ecQ= ;; Query time: 96 msec ;; SERVER: 2001:500:13::73#53(2001:500:13::73) ;; WHEN: Wed Mar 27 14:27:58 2013 ;; MSG SIZE rcvd: 692 [krill:~]% Your local data for d.f.ip6.arpa is conflicting with the signed non-existence of those names in the ip6.arpa zone. This does not happen with 10.in-addr.arpa because your validator knows that zone is insecure anyway. Joe _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
