Rozbite reverzni DNS

Od Ondřej Caletka (>>>)

Dne 2014-08-13 16:10

Mně to funguje bez problému:

# dig -x 77.75.76.3 +short
www.seznam.cz.

Hledejte v logu, co přesně unboundu schází.

Od Sova

Dne 2014-08-13 23:28

To jsem se snažil, ale donedávna tam nebylo vůbec nic kromě běžných hlášek po restartu. Až teď se tam objevilo tohle:

2014-08-13T13:29:21+02:00 info unbound[]: [7506:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2014-08-13T20:14:01+02:00 info unbound[]: [7506:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2014-08-13T20:14:02+02:00 info unbound[]: [7506:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

Říká Vám to z hlavy alespoň něco, abyste mě mohl nasměrovat? Časové údaje těch záznamů rozhodně nesouhlasí s časy výše uvedených DNS dotazů.

Mám hledat ještě jinde/jinak?

Od Ondřej Caletka (>>>)

Dne 2014-08-14 08:06

Tohle vypadá, že se unboundu nepodařilo načíst klíč z kořenové zóny, nejspíš v důsledku výpadku konektivity. To asi nebude ta příčina, protože to by pak nefungovalo DNS vůbec.

Zkuste nainstalovat nástroj unbound-host a spustit ho jako já níže. Vyleze hromada debugovacích hlášek, z toho by se snad mohlo usoudit, co je špatně: (musel jsem to zkrátit, aby to fórum neodmítlo)

# opkg install unbound-host
# unbound-host -C /var/etc/unbound/unbound.conf -d 77.75.76.3
[1407999692] libunbound[23144:0] notice: init module 0: validator
[1407999692] libunbound[23144:0] notice: init module 1: iterator
[1407999692] libunbound[23144:0] info: resolving 3.76.75.77.in-addr.arpa. PTR IN
[1407999692] libunbound[23144:0] info: priming . IN NS
[1407999692] libunbound[23144:0] info: resolving B.ROOT-SERVERS.NET. AAAA IN
[1407999692] libunbound[23144:0] info: priming . IN NS
[1407999692] libunbound[23144:0] info: response for . NS IN
[1407999692] libunbound[23144:0] info: reply from <.> 2001:500:2d::d#53
[1407999692] libunbound[23144:0] info: query response was ANSWER
[1407999692] libunbound[23144:0] info: priming successful for . NS IN
[1407999692] libunbound[23144:0] info: resolving j.root-servers.net. AAAA IN
[1407999692] libunbound[23144:0] info: resolving g.root-servers.net. AAAA IN
[1407999692] libunbound[23144:0] info: resolving m.root-servers.net. AAAA IN
[1407999692] libunbound[23144:0] info: resolving m.root-servers.net. A IN
[1407999692] libunbound[23144:0] info: resolving d.root-servers.net. AAAA IN
[1407999692] libunbound[23144:0] info: resolving . DNSKEY IN
[1407999692] libunbound[23144:0] info: resolving j.root-servers.net. A IN
[1407999692] libunbound[23144:0] info: resolving e.root-servers.net. AAAA IN
[1407999692] libunbound[23144:0] info: response for m.root-servers.net. A IN
[1407999692] libunbound[23144:0] info: reply from <.> 192.5.5.241#53
[1407999692] libunbound[23144:0] info: query response was ANSWER
[1407999692] libunbound[23144:0] info: response for d.root-servers.net. AAAA IN
[1407999692] libunbound[23144:0] info: reply from <.> 192.203.230.10#53
[1407999692] libunbound[23144:0] info: query response was ANSWER
[1407999692] libunbound[23144:0] info: response for 3.76.75.77.in-addr.arpa. PTR IN
[1407999692] libunbound[23144:0] info: reply from <.> 198.41.0.4#53
[1407999692] libunbound[23144:0] info: query response was REFERRAL
[1407999692] libunbound[23144:0] info: resolving a.in-addr-servers.arpa. AAAA IN
[1407999692] libunbound[23144:0] info: resolving b.in-addr-servers.arpa. AAAA IN
[1407999692] libunbound[23144:0] info: resolving k.root-servers.net. AAAA IN
[1407999692] libunbound[23144:0] info: resolving b.in-addr-servers.arpa. A IN
[1407999692] libunbound[23144:0] info: resolving h.root-servers.net. AAAA IN
[1407999692] libunbound[23144:0] info: resolving in-addr.arpa. DNSKEY IN
…
[1407999692] libunbound[23144:0] info: response for ns3.nic.fr. AAAA IN
[1407999692] libunbound[23144:0] info: reply from <nic.fr.> 192.134.4.1#53
[1407999692] libunbound[23144:0] info: query response was ANSWER
[1407999692] libunbound[23144:0] info: response for ns6.ext.nic.fr. AAAA IN
[1407999692] libunbound[23144:0] info: reply from <nic.fr.> 192.134.4.1#53
[1407999692] libunbound[23144:0] info: query response was ANSWER
[1407999692] libunbound[23144:0] info: response for ns3.nic.fr. A IN
[1407999692] libunbound[23144:0] info: reply from <fr.> 2a00:d78:0:102:193:176:144:22#53
[1407999692] libunbound[23144:0] info: query response was REFERRAL
[1407999692] libunbound[23144:0] info: resolving ns1.ext.nic.fr. AAAA IN
[1407999692] libunbound[23144:0] info: response for f.ext.nic.fr. A IN
[1407999692] libunbound[23144:0] info: reply from <nic.fr.> 2001:660:3006:1::1:1#53
[1407999692] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for g.ext.nic.fr. A IN
[1407999693] libunbound[23144:0] info: reply from <nic.fr.> 192.134.0.49#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for g.ext.nic.fr. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <nic.fr.> 192.134.4.1#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for ns3.nic.fr. A IN
[1407999693] libunbound[23144:0] info: reply from <nic.fr.> 2001:620:0:1b:5054:ff:fe74:8780#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for 3.76.75.77.in-addr.arpa. PTR IN
[1407999693] libunbound[23144:0] info: reply from <77.in-addr.arpa.> 2001:500:13::c7d4:35#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: resolving ms.seznam.cz. AAAA IN
[1407999693] libunbound[23144:0] info: resolving ns.seznam.cz. A IN
[1407999693] libunbound[23144:0] info: resolving b.root-servers.net. AAAA IN
[1407999693] libunbound[23144:0] info: resolving c.root-servers.net. AAAA IN
[1407999693] libunbound[23144:0] info: resolving ns.seznam.cz. AAAA IN
[1407999693] libunbound[23144:0] info: resolving ms.seznam.cz. A IN
[1407999693] libunbound[23144:0] info: response for sec3.apnic.net. A IN
[1407999693] libunbound[23144:0] info: reply from <apnic.net.> 2001:500:13::c7d4:35#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for ms.seznam.cz. A IN
[1407999693] libunbound[23144:0] info: reply from <.> 2001:500:3::42#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for c.root-servers.net. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <root-servers.net.> 192.58.128.30#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for b.root-servers.net. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <root-servers.net.> 2001:500:2d::d#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for ms.seznam.cz. A IN
[1407999693] libunbound[23144:0] info: reply from <cz.> 194.0.14.1#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for ms.seznam.cz. A IN
[1407999693] libunbound[23144:0] info: reply from <seznam.cz.> 77.75.73.77#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for 3.76.75.77.in-addr.arpa. PTR IN
[1407999693] libunbound[23144:0] info: reply from <76.75.77.in-addr.arpa.> 77.75.77.77#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: prime trust anchor
[1407999693] libunbound[23144:0] info: resolving . DNSKEY IN
[1407999693] libunbound[23144:0] info: validate keys with anchor(DS): sec_status_secure
[1407999693] libunbound[23144:0] info: Successfully primed trust anchor . DNSKEY IN
[1407999693] libunbound[23144:0] info: resolving arpa. DS IN
[1407999693] libunbound[23144:0] info: response for ms.seznam.cz. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <.> 2001:dc3::35#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for ns4.apnic.com. A IN
[1407999693] libunbound[23144:0] info: reply from <.> 128.63.2.53#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for ms.seznam.cz. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <cz.> 2001:678:1::1#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for u.arin.net. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <arin.net.> 2001:500:31::108#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for sns-pb.isc.org. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <org.> 199.19.57.1#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for ms.seznam.cz. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <seznam.cz.> 77.75.77.77#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for ns.seznam.cz. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <.> 2001:7fd::1#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for ns.seznam.cz. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <cz.> 2001:678:10::1#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for sns-pb.isc.org. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <isc.org.> 2001:500:60::30#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: resolving sec3.apnic.net. A IN
[1407999693] libunbound[23144:0] info: response for ns.seznam.cz. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <seznam.cz.> 77.75.77.77#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for sns-pb.isc.org. A IN
[1407999693] libunbound[23144:0] info: reply from <isc.org.> 149.20.64.3#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for b.in-addr-servers.arpa. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <in-addr-servers.arpa.> 2001:dd8:6::101#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for m.gtld-servers.net. A IN
[1407999693] libunbound[23144:0] info: reply from <net.> 192.5.6.30#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for ns4.apnic.com. A IN
[1407999693] libunbound[23144:0] info: reply from <com.> 192.5.6.30#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for m.gtld-servers.net. A IN
[1407999693] libunbound[23144:0] info: reply from <gtld-servers.net.> 192.54.112.31#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for arpa. DS IN
[1407999693] libunbound[23144:0] info: reply from <.> 192.112.36.4#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: validated DS arpa. DS IN
[1407999693] libunbound[23144:0] info: resolving arpa. DNSKEY IN
[1407999693] libunbound[23144:0] info: response for sec1.apnic.net. A IN
[1407999693] libunbound[23144:0] info: reply from <apnic.net.> 2001:dc0:2001:a:4608::59#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for tinnie.apnic.net. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <apnic.net.> 202.12.29.60#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for sec1.apnic.net. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <apnic.net.> 202.12.29.60#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for sec3.apnic.net. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <apnic.net.> 2001:dc0:2001:a:4608::59#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for c.in-addr-servers.arpa. AAAA IN
[1407999693] libunbound[23144:0] info: reply from <in-addr-servers.arpa.> 203.119.86.101#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
[1407999693] libunbound[23144:0] info: response for ns.seznam.cz. A IN
[1407999693] libunbound[23144:0] info: reply from <.> 202.12.27.33#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for ns.seznam.cz. A IN
[1407999693] libunbound[23144:0] info: reply from <cz.> 193.29.206.1#53
[1407999693] libunbound[23144:0] info: query response was REFERRAL
[1407999693] libunbound[23144:0] info: response for ns.seznam.cz. A IN
[1407999693] libunbound[23144:0] info: reply from <seznam.cz.> 2a02:598:2::1077#53
[1407999693] libunbound[23144:0] info: query response was ANSWER
…
[1407999694] libunbound[23144:0] info: response for 75.77.in-addr.arpa. DS IN
[1407999694] libunbound[23144:0] info: reply from <77.in-addr.arpa.> 202.12.29.59#53
[1407999694] libunbound[23144:0] info: query response was nodata ANSWER
[1407999694] libunbound[23144:0] info: NSEC RRset for the referral proved not a delegation point
[1407999694] libunbound[23144:0] info: NSEC RRset for the referral proved no DS.
[1407999694] libunbound[23144:0] info: Verified that unsigned response is INSECURE
3.76.75.77.in-addr.arpa domain name pointer www.seznam.cz.

Od Sova

Dne 2014-08-14 09:57

Tady je odpoved, kterou dostavam ja. Matne tusim, ze problem je v DNSSEC a hadam ze DNS server meho ISP (10.10.0.1) neforwardne DNSSEC zaznam a unbound si to buhviproc nevyzada ze sekundarniho googlovskeho 8.8.8.8. Ale opravte me prosim, jsou to jen dohady - docela v tom plavu.

[1408006065] libunbound[12347:0] notice: init module 0: validator
[1408006065] libunbound[12347:0] notice: init module 1: iterator
[1408006066] libunbound[12347:0] info: resolving 3.76.75.77.in-addr.arpa. PTR IN
[1408006066] libunbound[12347:0] info: response for 3.76.75.77.in-addr.arpa. PTR IN
[1408006066] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006066] libunbound[12347:0] info: query response was ANSWER
[1408006066] libunbound[12347:0] info: prime trust anchor
[1408006066] libunbound[12347:0] info: resolving . DNSKEY IN
[1408006068] libunbound[12347:0] info: response for . DNSKEY IN
[1408006068] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006068] libunbound[12347:0] info: query response was ANSWER
[1408006068] libunbound[12347:0] info: validate keys with anchor(DS): sec_status_secure
[1408006068] libunbound[12347:0] info: Successfully primed trust anchor . DNSKEY IN
[1408006068] libunbound[12347:0] info: resolving arpa. DS IN
[1408006068] libunbound[12347:0] info: response for arpa. DS IN
[1408006068] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006068] libunbound[12347:0] info: query response was ANSWER
[1408006068] libunbound[12347:0] info: validated DS arpa. DS IN
[1408006068] libunbound[12347:0] info: resolving arpa. DNSKEY IN
[1408006069] libunbound[12347:0] info: response for arpa. DNSKEY IN
[1408006069] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006069] libunbound[12347:0] info: query response was ANSWER
[1408006069] libunbound[12347:0] info: validated DNSKEY arpa. DNSKEY IN
[1408006069] libunbound[12347:0] info: resolving in-addr.arpa. DS IN
[1408006069] libunbound[12347:0] info: response for in-addr.arpa. DS IN
[1408006069] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006069] libunbound[12347:0] info: query response was nodata ANSWER
[1408006069] libunbound[12347:0] info: NSEC RRset for the referral did not prove no DS.
[1408006069] libunbound[12347:0] info: resolving in-addr.arpa. DS IN
[1408006072] libunbound[12347:0] info: response for in-addr.arpa. DS IN
[1408006072] libunbound[12347:0] info: reply from <.> 10.10.0.1#53
[1408006072] libunbound[12347:0] info: query response was ANSWER
[1408006072] libunbound[12347:0] info: DS rrset in DS response did not verify
[1408006072] libunbound[12347:0] info: resolving in-addr.arpa. DS IN
[1408006072] libunbound[12347:0] info: response for in-addr.arpa. DS IN
[1408006072] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006072] libunbound[12347:0] info: query response was ANSWER
[1408006072] libunbound[12347:0] info: validated DS in-addr.arpa. DS IN
[1408006072] libunbound[12347:0] info: resolving in-addr.arpa. DNSKEY IN
[1408006072] libunbound[12347:0] info: response for in-addr.arpa. DNSKEY IN
[1408006072] libunbound[12347:0] info: reply from <.> 10.10.0.1#53
[1408006072] libunbound[12347:0] info: query response was ANSWER
[1408006072] libunbound[12347:0] info: resolving in-addr.arpa. DNSKEY IN
[1408006073] libunbound[12347:0] info: response for in-addr.arpa. DNSKEY IN
[1408006073] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006073] libunbound[12347:0] info: query response was ANSWER
[1408006073] libunbound[12347:0] info: validated DNSKEY in-addr.arpa. DNSKEY IN
[1408006073] libunbound[12347:0] info: resolving 77.in-addr.arpa. DS IN
[1408006073] libunbound[12347:0] info: response for 77.in-addr.arpa. DS IN
[1408006073] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006073] libunbound[12347:0] info: query response was nodata ANSWER
[1408006073] libunbound[12347:0] info: NSEC RRset for the referral did not prove no DS.
[1408006073] libunbound[12347:0] info: resolving 77.in-addr.arpa. DS IN
[1408006073] libunbound[12347:0] info: response for 77.in-addr.arpa. DS IN
[1408006073] libunbound[12347:0] info: reply from <.> 10.10.0.1#53
[1408006073] libunbound[12347:0] info: query response was ANSWER
[1408006073] libunbound[12347:0] info: DS rrset in DS response did not verify
[1408006073] libunbound[12347:0] info: resolving 77.in-addr.arpa. DS IN
[1408006104] libunbound[12347:0] info: response for 77.in-addr.arpa. DS IN
[1408006104] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006104] libunbound[12347:0] info: query response was ANSWER
[1408006104] libunbound[12347:0] info: validated DS 77.in-addr.arpa. DS IN
[1408006104] libunbound[12347:0] info: resolving 77.in-addr.arpa. DNSKEY IN
[1408006104] libunbound[12347:0] info: response for 77.in-addr.arpa. DNSKEY IN
[1408006104] libunbound[12347:0] info: reply from <.> 8.8.8.8#53
[1408006104] libunbound[12347:0] info: query response was ANSWER
[1408006104] libunbound[12347:0] info: validated DNSKEY 77.in-addr.arpa. DNSKEY IN
[1408006104] libunbound[12347:0] info: resolving 75.77.in-addr.arpa. DS IN
[1408006104] libunbound[12347:0] info: response for 75.77.in-addr.arpa. DS IN
[1408006104] libunbound[12347:0] info: reply from <.> 10.10.0.1#53
[1408006104] libunbound[12347:0] info: query response was nodata ANSWER
[1408006104] libunbound[12347:0] info: Could not establish a chain of trust to keys for 75.77.in-addr.arpa. DNSKEY IN
3.76.75.77.in-addr.arpa domain name pointer www.seznam.cz.
validation failure <3.76.75.77.in-addr.arpa. PTR IN>: no DNSSEC records from 10.10.0.1 for DS 75.77.in-addr.arpa. while building chain of trust

Od Ondřej Caletka (>>>)

Dne 2014-08-14 10:25

Ano, je to nejspíš přesně tak. Vypněte forwardování a všechno začne fungovat :)

Od Sova

Dne 2014-08-14 10:46

Po vypnutí forwardování začne fungovat reverzní DNS pro internet, ale ne pro lokální síť :(

V příslušném konfiguračním souboru sice mám

stub-zone:
name: "x.168.192.in-addr.arpa."
stub-addr: "127.0.0.1@53535"

ovšem při vypnutém forwardování mi to není nic platné:

Host y.x.168.192.in-addr.arpa not found: 3(NXDOMAIN).

Takže opravdu bych potřeboval odstranit příčinu problému, jinak to fungovat nebude (aspoň mě se to tak jeví).

Od Ondřej Caletka (>>>)

Dne 2014-08-14 11:12

Příčina problému je, že server, na který forwardujete, nepodporuje DNSSEC. Takže vypnutí forwardování je správným řešením.

Předávání dotazů pomocí stub-zone s forwardováním nijak nesouvisí. Nezapomněl jste v konfiguraci nastavit volbu domain-insecure pro danou doménu? Více ve starším příspěvku.

Od Sova

Dne 2014-08-14 11:31

Omlouvám se, zapomněl jsem poslat ještě relevantní část sekce "server" z konfigurace unboundu. Myslím si, že mám vše nastavené podle návodu, ale pro jistotu:

server:
domain-insecure: "intra."
domain-insecure: "x.168.192.in-addr.arpa."
private-domain: "intra."
do-not-query-localhost: no
do-ip6: no

Od Ondřej Caletka (>>>)

Dne 2014-08-14 11:54

To vypadá dobře. Opět zkuste unbound-host, třeba zjistíme, co je špatně tentokrát. Taky můžete vyzkoušet použít místo konstrukce stub-zone konstrukci forward-zone. Výsledek by měl být totožný.

Od Sova

Dne 2014-08-14 16:32 Upraveno 2014-08-14 16:42

Výstup z unbound-host jsem už posílal výše, on je totiž velmi stručný:

[1408009236] libunbound[27600:0] notice: init module 0: validator
[1408009236] libunbound[27600:0] notice: init module 1: iterator
Host y.x.168.192.in-addr.arpa not found: 3(NXDOMAIN).

Toť vše. Po záměně s/stub/forward/ a restartu unbound je výsledek skutečně totožný. Zapnutí/vypnutí forwardování ve Forisu rovněž nemá vliv. Předem děkuji za jakékoli další nápady.

EDIT: Pro úplnost - stejné výstupy dostanu i v případě, že zkouším jiné adresy z místní sítě (tj. nejen adresu turise samotného)

Od Jan Čermák (>>)

Dne 2014-08-14 11:35

Odpovím jen na poslední otázku - dnsmasq sice umí DNSSEC, ale umí pouze ověřovat odpovědi. Pokud bychom plně nahradili Unbound dnsmasqem, nejen Vám, ale také velkému množství dalších lidí, kterým Unbound nefunguje v režimu forwarderu, by tak resolvování nefungovalo správně.