On Wed, Jun 24, 2015 at 1:06 PM, Graham Stephens <gra...@thestephensdomain.com> wrote: > ------------------------------- > On 24/06/2015 18:43, mxb wrote: >> Hey, >> this is a bit different from bind/named. >> >> nsd is a authoritative server ONLY. >> unbound is a caching server ONLY. >> >> I use those together on the same machine. >> nsd is handling all zones, unbound answers queries. >> >> nsd.conf: >> [port 5353, snip rest of cfg] >> >> unbound.conf: >> >> server: >> ## this one important to be able to query nsd >> do-not-query-localhost: no >> >> private-domain: "homelan.com" >> >> ## this one important to be able to query nsd >> local-zone: "78.168.192.in-addr.arpa." transparent >> >> ## forward to nsd >> forward-zone: >> name: "homelan.com" >> forward-addr: 127.0.0.1@5353 >> >> ## forward to nsd >> forward-zone: >> name: "78.168.192.in-addr.arpa" >> forward-addr: 127.0.0.1@5353 >> >> ## forward to google >> forward-zone: >> name: "." >> forward-addr: 8.8.8.8
This is similar to my setup, although I used stub-zone/stub-addr instead of forward-zone for my internal forward and reverse zones, as that seems to make more sense based on my reading of unbound.conf(5). (It says stub-zone is for authoritative servers, which nsd is, and forward-zone is for recursive servers. I'm not 100% sure I am correct here, however.) I also did not define a global forward-zone -- why not just use the system DNS servers? The important bits to actually make this work are the 'do-not-query-localhost: no' and 'local-zone: C.B.A.in-addr.arpa. transparent' options, needed to override unbound's default behavior of ignoring localhost and RFC1918 addresses. It took me a while to find this, until I discovered the proper keywords to Google for. I think this would be a good addition to the OpenBSD FAQ. While less common than a simple caching resolver, it's probably not too uncommon to have used BIND to serve a local zone and also act as a caching resolver, and having some guidance on "how to convert your BIND setup to unbound+nsd" would be nice. (Good guidance, not misleading and/or incorrect advice from ca***el.org!) nsd on a localhost high port, serving my old BIND zone files, and unbound forwarding to it for my zones was easy enough, but the two "magic" options letting unbound actually talk to nsd were somewhat less obvious. -Andrew
