Thank you Willem, unbound-host was extremely useful in tracking down
this problem.
my first test with it came up with the correct answer with no problem.
unbound-host -d ns2.editnew.net
I then figured out that I could use the same configuration as the daemon
unbound-host -C unbound.conf -d ns2.editnew.net
and it failed. so something in the config file.
comment and retry until success.
that is when I discovered my giant brain fart.
When I set dns server up I grabbed a full featured config from somewhere.
I'm not sure where I got it, but you can see it here:
https://www.nlnetlabs.nl/bugs-script/attachment.cgi?id=143
it includes the lines:
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
# Protects against 'DNS Rebinding' (uses browser as network proxy).
# Only 'private-domain' and 'local-data' names are allowed to have
# these private addresses. No default.
# private-address: 10.0.0.0/8
# private-address: 172.16.0.0/12
# private-address: 192.168.0.0/16
# private-address: 192.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
and I uncommented them all. Except that
* # private-address: 192.254.0.0/16**
***is not a private address space. and is in fact part of the address
space used by ns2.editnew.net
so using private-address is an effective way to black hole an IP address
range.
thanks for all the help.
MM
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
