K. de Jong
2018-Sep-29 21:01 UTC
[nsd-users] Unbound + NSD (stub-zones only needed for primary/secondary setup? NS records from the zone are ignored?)
Hi, I'm using Unbound with NSD. Unbound consults the authoritive zones via Unbound stub-zones. I also have a secondary NSD server running on a different system which receives zone updates from its master (the one with Unbound running on it as well). These primary and secondary name servers are defined in the zone as ns1 (primary) and ns2 (secondary). The problem is that the secondary is never queried. I do flush the cache for the zone before I query again with dig/drill, but only the master does a query/response. The queries fail when I disable NSD on ns1 (primary). The behavior only changes when I also add the secondary address to the stub-zone in the Unbound config. But as far as I understand, the recursive caching server (Unbound) should be able to also query the secondary based on the NS definitions in the zone. To me it seems strange that after defining NS records (with glue records) it's also (or only?) needed to define the NS addresses in the stub-zone of Unbound. Am I doing something wrong? Can someone explain why this setup behaves like this? What I want to accomplish is that the client queries 10.1.0.1 for a record within home.lan, e.g. the A record of mail.home.lan. Unbound then contacts the NSD server, then sees the NS records for ns1 and ns2 and is then able to query either ns1 or ns2 purely based on the NS records, no extra configs needed, such as the extra stub-zone line. After choosing the NS, that NS then replies with the A record of mail.home.lan. unbound.conf: server: verbosity: 1 log-queries: yes interface: 127.0.0.1 at 53 interface: ::1 at 53 interface: 10.1.0.1 at 53 private-domain: home.lan private-domain: home.vpn private-address: 10.1.0.1 private-address: 10.1.1.1 access-control: 127.0.0.0/8 allow access-control: ::1/128 allow access-control: 10.1.0.0/24 allow access-control: 10.1.1.0/24 allow root-hints: "/etc/unbound/root.hints" do-not-query-localhost: no username: unbound hide-identity: yes hide-version: yes use-caps-for-id: yes unwanted-reply-threshold: 10000 cache-min-ttl: 3600 cache-max-ttl: 86400 prefetch: yes prefetch-key: yes num-threads: 4 msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 msg-cache-size: 32m rrset-cache-size: 64m so-rcvbuf: 1m local-zone: "home.lan" nodefault # domain-insecure: "home.lan" include: "/etc/unbound/adblock.conf" stub-zone: name: "home.lan" stub-addr: ::1 at 53530 stub-addr: 10.1.0.2 at 53 nsd.conf (primary): server: verbosity: 1 interface: 127.0.0.1 at 53530 interface: ::1 at 53530 interface: 10.1.0.1 at 53530 username: nsd hide-version: yes identity: "" remote-control: control-enable: yes control-interface: 127.0.0.1 control-interface: ::1 control-port: 8952 server-key-file: "nsd_server.key" server-cert-file: "nsd_server.pem" control-key-file: "nsd_control.key" control-cert-file: "nsd_control.pem" zone: name: "home.lan" zonefile: "home.lan.forward" notify: 10.1.0.2 NOKEY provide-xfr: 10.1.0.2 NOKEY nsd.conf (secondary) server: verbosity: 3 interface: 127.0.0.1 at 53 interface: ::1 at 53 interface: 10.1.0.2 at 53 username: nsd hide-version: yes identity: "" remote-control: control-enable: yes control-interface: 127.0.0.1 control-interface: ::1 control-port: 8952 server-key-file: "nsd_server.key" server-cert-file: "nsd_server.pem" control-key-file: "nsd_control.key" control-cert-file: "nsd_control.pem" zone: name: "home.lan" zonefile: "home.lan.forward" allow-notify: 10.1.0.1 NOKEY request-xfr: 10.1.0.1 at 53530 NOKEY -- Kees de Jong OpenPGP fingerprint: 0x0E45C98AB51428E6 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20180929/8969ae9a/attachment.bin>
Anand Buddhdev
2018-Sep-30 08:28 UTC
[nsd-users] Unbound + NSD (stub-zones only needed for primary/secondary setup? NS records from the zone are ignored?)
On 29/09/2018 23:01, K. de Jong wrote: Hi K de Jong, Your question is actually about Unbound, and should be on the unbound-users mailing list. The fact that you're using NSD as an authoritative server is just incidental (your authoritative server could have been BIND, PowerDNS or Knot, and the same thing would happen). Anyway, about your question, see my answer below inline:> The problem is that the secondary is never queried. I do flush the > cache for the zone before I query again with dig/drill, but only the > master does a query/response. The queries fail when I disable NSD on > ns1 (primary). > > The behavior only changes when I also add the secondary address to the > stub-zone in the Unbound config. But as far as I understand, theYou need to add: stub-prime: yes to the relevant part of your unbound.conf. This will allow unbound to discover the secondary, and use it as well. See the unbound.conf man page for a detailed explanation. Regards, Anand