Hi all,
thanks for all the suggestions. However it turned out that all I needed to do
was to add
domain-insecure: "my.domain"
to unbound.conf so that unbound would ignore the lack of DNSSEC of my internal
domain. I have not paid much attention to DNSSEC until now, but it seems I may
need to.
So, problem solved, onto the next one! ;-)
/Johan
On Wed, Oct 12, 2016 at 04:18:39PM +0300, Kapetanakis Giannis wrote:
> Hi,
>
> Haven't followed the whole thread and by just looking at the topic,
> I have a similar setup (carped as well) for caching DNS.
> 2 servers, 2 carped IPs.
>
> This is how it works:
>
> unbound.conf:
> interface: 127.0.0.1
> port: 53
> outgoing-interface: ext_ip
> access-control: local_networks
> do-not-query-localhost: no
> include: "/var/unbound/etc/stub_zones_insecure"
> include: "/var/unbound/etc/stub_zones"
>
> stub_zones:
> stub-zone:
> name: "foo.example.com."
> stub-addr: 127.0.0.1@5678
>
> stub_zones_insecure:
> domain-insecure: "foo.example.com."
>
> insecure is for when you have network problems to be able to resolv
> otherwrise it hungs at DNSSEC (if you have it enabled). This is for local
> zones only.
>
> resolv.conf:
> nameserver 127.0.0.1
>
> nsd.conf:
> ip-address: 127.0.0.1@5678
> zone:
> name: foo.example.com
> zonefile: /var/nsd/zones/slave/%s
> request-xfr: master_DNS_IP NOKEY
> allow-notify: master_DNS_IP NOKEY
>
> pf.conf:
> # requests from local dns server (unbound)
> pass out quick on $dns1_if proto {tcp, udp} to $dns1_if:network port 53
> modulate state (if-bound, no-sync) nat-to ($dns1_if)
> pass out quick on $dns1_if proto {tcp, udp} to any port 53 modulate state
> (if-bound, no-sync) route-to ($dns1_if $dns1_gw) nat-to ($dns1_if)
> pass out quick on $dns2_if proto {tcp, udp} to $dns2_if:network port 53
> modulate state (if-bound, no-sync) nat-to ($dns2_if)
> pass out quick on $dns2_if proto {tcp, udp} to any port 53 modulate state
> (if-bound, no-sync) route-to ($dns2_if $dns2_gw) nat-to ($dns2_if)
>
> # requests from clients (unbound)
> pass in quick on $dns1_if proto {tcp,udp} from $dns1_if:network to
> ($dns1_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns1_if
> pass in quick on $dns2_if proto {tcp,udp} from $dns2_if:network to
> ($dns2_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns2_if
> pass in quick on $dns1_if proto {tcp,udp} from <local_net> to ($dns1_carp)
> port 53 keep state rdr-to 127.0.0.1 reply-to ($dns1_if $dns1_gw)
> pass in quick on $dns2_if proto {tcp,udp} from <local_net> to ($dns2_carp)
> port 53 keep state rdr-to 127.0.0.1 reply-to ($dns2_if $dns2_gw)
> pass out quick on $dns1_if proto udp from 127.0.0.1 port 53 nat-to
> ($dns1_carp)
> pass out quick on $dns2_if proto udp from 127.0.0.1 port 53 nat-to
> ($dns2_carp)
>
> # nsd
> pass in quick on $dns1_if proto udp from $master_DNS to ($dns1_if) port 5678
> keep state rdr-to 127.0.0.1 reply-to $dns1_if
>
> hope these help. For me they work the last 2 years. They only problem I
> haven't solved so far which requires a different setup is when you make a
> change on the master and the unbound has the previous entry in the cache...
> the cache has to expire.
>
>
> G
