nsd users - May 2016 - unbound not accepting a stub or forward pointing to a loopback interface.

Greetings, 

I've got a resolve server setup, using OpenBSD, unbound, and nsd. (hence the
crosspost)

The setup is as follows; 

unbound is listening on a loopback interface, lo1, using an address that
is anycast, let's call it 192.0.2.53/32. This address is configured as
resolver in clients. This works.

However, this particular machine is slated to go walkabout in a travel
kit to a place where it might lose its connection. We still want it to
work and keep on serving names, since some resources will be local.

Therefore, we've got a nsd instance running on the same host. The nsd is
slaving a number of the important zones we need off of the normal servers,
and we intend to use stub/forward in unbound to prefer this instance --
a lot of firewalling means we can't freely recurse from the root anyway,
so such a setup is required regardless. We're forwarding to a pair of
DMZ resolver hosts for external names, and to internal name servers for
our own stuff.

I initially tried to make nsd listen on 127.0.0.53 using an extra
loopback interface (in contrast to a statement by a PFY working at a
Swedish ISP back in the dotcom bubble days, we feel that we can afford
loopback interfaces... True story.) and it works. Half-way. I can dig
@127.0.0.53 and get excellent answers back. But unbound refuses to use 
the address, and returns SERVFAIL.  As soon as I make nsd listen on a
physical interface on the host and change the unbound config accordingly
so that it points to that address for forwarding/stub address, things
start working.

Is this an issue in unbound or OpenBSD (5.9)? 

Bonus question: Forward or Stub? I never really got through to understand
the differences ;-)

Thanks for any pointers in this. 
-- 
M?ns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
We have DIFFERENT amounts of HAIR --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20160521/d0134536/attachment.bin>

Try:

server:
       do-not-query-localhost: no


Regards,



2016-05-20 20:13 GMT-03:00 M?ns Nilsson via Unbound-users <
unbound-users at unbound.net>:
> Greetings,
>
> I've got a resolve server setup, using OpenBSD, unbound, and nsd.
(hence
> the crosspost)
>
> The setup is as follows;
>
> unbound is listening on a loopback interface, lo1, using an address that
> is anycast, let's call it 192.0.2.53/32. This address is configured as
> resolver in clients. This works.
>
> However, this particular machine is slated to go walkabout in a travel
> kit to a place where it might lose its connection. We still want it to
> work and keep on serving names, since some resources will be local.
>
> Therefore, we've got a nsd instance running on the same host. The nsd
is
> slaving a number of the important zones we need off of the normal servers,
> and we intend to use stub/forward in unbound to prefer this instance --
> a lot of firewalling means we can't freely recurse from the root
anyway,
> so such a setup is required regardless. We're forwarding to a pair of
> DMZ resolver hosts for external names, and to internal name servers for
> our own stuff.
>
> I initially tried to make nsd listen on 127.0.0.53 using an extra
> loopback interface (in contrast to a statement by a PFY working at a
> Swedish ISP back in the dotcom bubble days, we feel that we can afford
> loopback interfaces... True story.) and it works. Half-way. I can dig
> @127.0.0.53 and get excellent answers back. But unbound refuses to use
> the address, and returns SERVFAIL.  As soon as I make nsd listen on a
> physical interface on the host and change the unbound config accordingly
> so that it points to that address for forwarding/stub address, things
> start working.
>
> Is this an issue in unbound or OpenBSD (5.9)?
>
> Bonus question: Forward or Stub? I never really got through to understand
> the differences ;-)
>
> Thanks for any pointers in this.
> --
> M?ns Nilsson     primary/secondary/besserwisser/machina
> MN-1334-RIPE                             +46 705 989668
> We have DIFFERENT amounts of HAIR --
>


-- 
Eduardo Schoedler
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20160520/de23206c/attachment.htm>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 21/05/16 01:13, M?ns Nilsson wrote:
> I initially tried to make nsd listen on 127.0.0.53 using an extra 
> loopback interface (in contrast to a statement by a PFY working at
> a Swedish ISP back in the dotcom bubble days, we feel that we can
> afford loopback interfaces... True story.) and it works. Half-way.
> I can dig @127.0.0.53 and get excellent answers back. But unbound
> refuses to use the address, and returns SERVFAIL.  As soon as I
> make nsd listen on a physical interface on the host and change the
> unbound config accordingly so that it points to that address for
> forwarding/stub address, things start working.
You'll want the following in unbound.conf:

do-not-query-localhost: no

The default is yes, and stops unbound from sending queries to anything
in 127.0.0.0/8 and ::1.

Regards,
Anand
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJXQBULAAoJEBXgoyUMySoFqOMP/jB+5BOgxrQdxfaz3zhNqTfP
a5zFNFjuooKBt816uuSyotFyrAwELmispRTHjxY2eyIypVZWe4naVcRT/YkHVSc3
U9kQP7idxVb9DGP4Lhkmxdj2VyPVNqFDEqBOCyw8bIHois0NhdtmvjGOTj9Qa6gy
Rp7bnkIgkDNYX7QY4vZ57VnkQN8GskJJFAx6DVTeBnj4dMxzJgBw5XALnMkdks1I
tYI/UtaHgxrg7WmryZg96KOgw904X/oM74r97q6/ubPUTBA0O5MRmxQMZSNmtykM
rjK98miehjZ/uPrLnSUwqjNj3jO4BRJvJ1jDmgvAkWRlQtjQ5zGB8kw1LEPUwt+1
WnaCEpefT0cysOgfbrAXl1NncKP+YG046wBD4k31V6RsLdyx89n33g8Xvlt0gszG
iFoyQBqfFmJWxBKCx5BL1bXmpQslZPuaG7HBelr2j5WkxZWsv3uwjpaAKVaqVJDX
LiX7ACfkjgMFsz+7vGFmmPvukjulIQ2udtEu3eCfYRJ/6ebLD6aS+9MIjMHgzMU9
+rYVxKSTwAt/dkmLV816NIqgPrVw8nSmpJhKr0MEnrjfi7e+73y/WLSKQ0pTP86S
mWAOZ+EP9cZHxWdwY1NHDvKQ5EwLcclLIaJO+tQQr0/RmVve0iDAuYV2hCirzm4D
4LT7RnQAhGuIhlPeSfpb
=fb8b
-----END PGP SIGNATURE-----

Hej M?ns,
> On 21 May 2016, at 01:13, M?ns Nilsson <mansaxel at besserwisser.org>
wrote:
> 
> Greetings, 
> 
> I've got a resolve server setup, using OpenBSD, unbound, and nsd.
(hence the crosspost)
> 
> The setup is as follows; 
> 
> [?]
> 
> Is this an issue in unbound or OpenBSD (5.9)? 
We have an almost similar setup on some of our servers, and it works fine (on
Debian).
I saw others already gave the hint what?s needs to be configured for this to
work.
> Bonus question: Forward or Stub? I never really got through to understand
> the differences ;-)
Stub is for local zone(s) in unbound (unless something changed last time I
looked)
Simpler and preferred if you can use that I?d say...

The reason for us to choose forward to local nsd was that the zone(s) served
locally from nsd was updated several time from the master (the master is not
under our control),
so doing timely zone transfers was a pre-req.
And forwarding allows for the use of "forward-first" option in unbound
(which we use),
which allows unbound to fallback to the zone(s) served by name servers on
Internet
if our local cache would fail for some reason... 

Re,
/P

On Fri, May 20, 2016 at 7:13 PM, M?ns Nilsson via Unbound-users
<unbound-users at unbound.net> wrote:
> Bonus question: Forward or Stub? I never really got through to understand
> the differences ;-)
Generally it's: Stub - to an authoritative server. Forward - to
another cache/resolver.

Typically, for an internal use only authoritative server, I run NSD on
an alternate port on the loopback interface:
==================server:
       ip-address: 127.0.0.1
       port: 5353
zone:
       name: "example.org"
       zonefile: "example.org.zone"
==================
This allows Unbound to listen on port 53 and bind to the loopback
address as well as others:
==================server:
      interface: 127.0.0.1
      interface: 192.168.1.1
      port: 53
stub-zone:
       name: "example.org"
       stub-addr: 127.0.0.1 at 5353
forward-zone:
        name: "."
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4
==================
==================# cat /etc/resolv.conf
domain example.org
nameserver 127.0.0.1
==================
Chris