Re: private ipv6 address space
Le mercredi 2 août 2017, 08:46:31 CEST W.C.A. Wijngaards via Unbound-users a écrit : > Hi, > > Also, > local-zone: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." nodefault > has to be d.f.ip6.arpa nodefault, to disable the default zone that is > upwards from your private zone. > > Best regards, Wouter > > On 01/08/17 18:29, Eric Luehrsen via Unbound-users wrote: > > dnsmasq is a forwarding resolver and you need "forward" clauses instead > > of "stub" clauses. As you know its similar user configuration syntax, > > but different communication behaviors. "Stub" is a short cut to an > > authoritative server. Also, dnsmasq compiled with authoritative > > conditional compile options can pretend but it has limited function. > > > > On 08/01/2017 04:16 AM, Stephane Guedon via Unbound-users wrote: > >> Good (insert your locale time of the day) all members of this list. I > >> have a trouble with my instance of Unbound (OpenBSD 6.1 stable) with > >> private ipv6 space. I have a local dns resolver/cache (Dnsmasq) which > >> works perfect on my router. The Unbound instance is supposed to > >> redirect all dns requests regarding private domains and address space > >> to it: private-address: fd00:2016:22::/48 access-control: ::0/0 refuse > >> access-control: ::1/128 allow access-control: fd00:2016:22::/48 allow > >> local-zone: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." nodefault > >> domain-insecure: "22decembre.eu." domain-insecure: "22december.dk." > >> > >> domain-insecure: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." stub-zone: > >>name: "22decembre.eu."stub-addr: "fd00:2016:22:dec::1" > >> > >> stub-zone:name: "22december.dk."stub-addr: > >> "fd00:2016:22:dec::1" stub-zone:name: "d.f.ip6.arpa." > >> > >>stub-addr: "fd00:2016:22:dec::1" stub-zone:name: > >> "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa."stub-addr: > >> "fd00:2016:22:dec::1" > >> > >> #domain-insecure: "6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa." #local-zone: > >> "6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa." stub-zone:name: > >>"6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa."stub-addr: > >> "fd00:2016:22:dec::1" > >> > >> (In the begining - aka before two days ago - I used forward zones > >> pointing at fd00:2016:22:dec::1 aka dnsmasq and the whole thing worked > >> smoothly as intended. It does not anymore and I tried to upgrade my > >> conf according to the manual and my understanding is that this conf' > >> is supposed to be done with stub-zones.) > >> > >> > >> > >> But apparently, whenever I send request on 22decembre.eu or > >> 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. I get blocked : ; <<>> DiG 9.4.2-P2 > >> <<>> @unbound mirror.22decembre.eu ; (2 servers found) ;; global > >> options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, > >> status: NOERROR, id: 6329 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, > >> AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: > >> ;mirror.22decembre.eu. IN A ;; Query time: 3 msec ;; > >> SERVER: fd00:2016:22:dec::3#53(fd00:2016:22:dec::3) ;; WHEN: Tue Aug > >> > >> 1 10:10:01 2017 ;; MSG SIZE rcvd: 38 > >> > >> stephane@blackblock:/home/stephane dig -t ptr @unbound > >> 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. ; <<>> DiG 9.4.2-P2 <<>> -t ptr > >> @unbound 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. ; (1 server found) ;; > >> global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: > >> QUERY, status: NXDOMAIN, id: 46873 ;; flags: qr aa rd ra; QUERY: 1, > >> ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: > >> ;2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. IN PTR ;; AUTHORITY SECTION: > >> d.f.ip6.arpa. 10800 IN SOA localhost. > >> nobody.invalid. 1 3600 1200 604800 10800 > >> > >> Can anyone tell me what mistake(s) I make ? Thank you in advance. I answer in order to give the solution to those in need, as I found it. I needed to have : private-domain: "22decembre.eu." So my domain can have private address (10.0.0.0/8 and fd00:2016...). signature.asc Description: This is a digitally signed message part.
Re: private ipv6 address space
Hi, Also, local-zone: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." nodefault has to be d.f.ip6.arpa nodefault, to disable the default zone that is upwards from your private zone. Best regards, Wouter On 01/08/17 18:29, Eric Luehrsen via Unbound-users wrote: > dnsmasq is a forwarding resolver and you need "forward" clauses instead > of "stub" clauses. As you know its similar user configuration syntax, > but different communication behaviors. "Stub" is a short cut to an > authoritative server. Also, dnsmasq compiled with authoritative > conditional compile options can pretend but it has limited function. > > > On 08/01/2017 04:16 AM, Stephane Guedon via Unbound-users wrote: >> >> Good (insert your locale time of the day) all members of this list. I >> have a trouble with my instance of Unbound (OpenBSD 6.1 stable) with >> private ipv6 space. I have a local dns resolver/cache (Dnsmasq) which >> works perfect on my router. The Unbound instance is supposed to >> redirect all dns requests regarding private domains and address space >> to it: private-address: fd00:2016:22::/48 access-control: ::0/0 refuse >> access-control: ::1/128 allow access-control: fd00:2016:22::/48 allow >> local-zone: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." nodefault >> domain-insecure: "22decembre.eu." domain-insecure: "22december.dk." >> domain-insecure: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." stub-zone: >>name: "22decembre.eu."stub-addr: "fd00:2016:22:dec::1" >> stub-zone:name: "22december.dk."stub-addr: >> "fd00:2016:22:dec::1" stub-zone:name: "d.f.ip6.arpa." >>stub-addr: "fd00:2016:22:dec::1" stub-zone:name: >> "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa."stub-addr: >> "fd00:2016:22:dec::1" >> >> #domain-insecure: "6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa." #local-zone: >> "6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa." stub-zone:name: >>"6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa."stub-addr: >> "fd00:2016:22:dec::1" >> >> (In the begining - aka before two days ago - I used forward zones >> pointing at fd00:2016:22:dec::1 aka dnsmasq and the whole thing worked >> smoothly as intended. It does not anymore and I tried to upgrade my >> conf according to the manual and my understanding is that this conf' >> is supposed to be done with stub-zones.) >> >> >> >> But apparently, whenever I send request on 22decembre.eu or >> 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. I get blocked : ; <<>> DiG 9.4.2-P2 >> <<>> @unbound mirror.22decembre.eu ; (2 servers found) ;; global >> options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, >> status: NOERROR, id: 6329 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, >> AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: >> ;mirror.22decembre.eu. IN A ;; Query time: 3 msec ;; >> SERVER: fd00:2016:22:dec::3#53(fd00:2016:22:dec::3) ;; WHEN: Tue Aug >> 1 10:10:01 2017 ;; MSG SIZE rcvd: 38 >> stephane@blackblock:/home/stephane dig -t ptr @unbound >> 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. ; <<>> DiG 9.4.2-P2 <<>> -t ptr >> @unbound 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. ; (1 server found) ;; >> global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: >> QUERY, status: NXDOMAIN, id: 46873 ;; flags: qr aa rd ra; QUERY: 1, >> ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: >> ;2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. IN PTR ;; AUTHORITY SECTION: >> d.f.ip6.arpa. 10800 IN SOA localhost. >> nobody.invalid. 1 3600 1200 604800 10800 >> >> Can anyone tell me what mistake(s) I make ? Thank you in advance. >> > signature.asc Description: OpenPGP digital signature
Re: private ipv6 address space
dnsmasq is a forwarding resolver and you need "forward" clauses instead of "stub" clauses. As you know its similar user configuration syntax, but different communication behaviors. "Stub" is a short cut to an authoritative server. Also, dnsmasq compiled with authoritative conditional compile options can pretend but it has limited function. On 08/01/2017 04:16 AM, Stephane Guedon via Unbound-users wrote: Good (insert your locale time of the day) all members of this list. I have a trouble with my instance of Unbound (OpenBSD 6.1 stable) with private ipv6 space. I have a local dns resolver/cache (Dnsmasq) which works perfect on my router. The Unbound instance is supposed to redirect all dns requests regarding private domains and address space to it: private-address: fd00:2016:22::/48 access-control: ::0/0 refuse access-control: ::1/128 allow access-control: fd00:2016:22::/48 allow local-zone: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." nodefault domain-insecure: "22decembre.eu." domain-insecure: "22december.dk." domain-insecure: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." stub-zone:name: "22decembre.eu."stub-addr: "fd00:2016:22:dec::1" stub-zone: name: "22december.dk."stub-addr: "fd00:2016:22:dec::1" stub-zone: name: "d.f.ip6.arpa."stub-addr: "fd00:2016:22:dec::1" stub-zone: name: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa."stub-addr: "fd00:2016:22:dec::1" #domain-insecure: "6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa." #local-zone: "6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa." stub-zone:name: "6.7.5.1.0.0.0.4.6.0.a.2.ip6.arpa."stub-addr: "fd00:2016:22:dec::1" (In the begining - aka before two days ago - I used forward zones pointing at fd00:2016:22:dec::1 aka dnsmasq and the whole thing worked smoothly as intended. It does not anymore and I tried to upgrade my conf according to the manual and my understanding is that this conf' is supposed to be done with stub-zones.) But apparently, whenever I send request on 22decembre.eu or 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. I get blocked : ; <<>> DiG 9.4.2-P2 <<>> @unbound mirror.22decembre.eu ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6329 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mirror.22decembre.eu. IN A ;; Query time: 3 msec ;; SERVER: fd00:2016:22:dec::3#53(fd00:2016:22:dec::3) ;; WHEN: Tue Aug 1 10:10:01 2017 ;; MSG SIZE rcvd: 38 stephane@blackblock:/home/stephane dig -t ptr @unbound 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. ; <<>> DiG 9.4.2-P2 <<>> -t ptr @unbound 2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46873 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa. IN PTR ;; AUTHORITY SECTION: d.f.ip6.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 Can anyone tell me what mistake(s) I make ? Thank you in advance.
