On Fri, Jul 31, 2015 at 10:36:34PM -0400, Sonic via Unbound-users wrote: > I doubt that > local-zone: "1.168.192.in-addr.arpa" nodefault > is necessary since you're defining it as a stub-zone. >
This is actually necessary. I just tested on my firewall at home, and if I remove "local-zone: "168.192.in-addr.arpa." nodefault" I will get the unbound default NXDOMAIN even if I still have my stub-zone declaration: === stub-zone: name: "1.168.192.in-addr.arpa" stub-addr: 127.0.0.1 === However, the configuration is still wrong since "nodefault" only works on the specific RFC1918 boundaries, and not anything below. If I change this: --- local-zone: "168.192.in-addr.arpa." nodefault --- ... to this: --- local-zone: "1.168.192.in-addr.arpa." nodefault --- I again get the unbound default NXDOMAIN even if it looks like it matches what I want better. As you have pointed out to me on openbsd-misc in the past, the correct configuration to use in the latter case is this: --- local-zone: "1.168.192.in-addr.arpa." transparent --- This is only mentioned in passing in the man page for unbound.conf and I had missed it completely before you pointed it out to me here: http://marc.info/?l=openbsd-misc&m=140647222022445&w=2 This is probably my biggest pet peeve in the unbound configuration :). This of course does not relate to the main question in the thread, but I am pretty sure reverse lookups does not currently work either for the above reasons. -- Patrik Lundin