Greetings, I've got a resolve server setup, using OpenBSD, unbound, and nsd. (hence the crosspost)
The setup is as follows; unbound is listening on a loopback interface, lo1, using an address that is anycast, let's call it 192.0.2.53/32. This address is configured as resolver in clients. This works. However, this particular machine is slated to go walkabout in a travel kit to a place where it might lose its connection. We still want it to work and keep on serving names, since some resources will be local. Therefore, we've got a nsd instance running on the same host. The nsd is slaving a number of the important zones we need off of the normal servers, and we intend to use stub/forward in unbound to prefer this instance -- a lot of firewalling means we can't freely recurse from the root anyway, so such a setup is required regardless. We're forwarding to a pair of DMZ resolver hosts for external names, and to internal name servers for our own stuff. I initially tried to make nsd listen on 127.0.0.53 using an extra loopback interface (in contrast to a statement by a PFY working at a Swedish ISP back in the dotcom bubble days, we feel that we can afford loopback interfaces... True story.) and it works. Half-way. I can dig @127.0.0.53 and get excellent answers back. But unbound refuses to use the address, and returns SERVFAIL. As soon as I make nsd listen on a physical interface on the host and change the unbound config accordingly so that it points to that address for forwarding/stub address, things start working. Is this an issue in unbound or OpenBSD (5.9)? Bonus question: Forward or Stub? I never really got through to understand the differences ;-) Thanks for any pointers in this. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 We have DIFFERENT amounts of HAIR --
signature.asc
Description: Digital signature
