Maintained by: NLnet Labs

[Unbound-users] private-address behaviour

Jakub Heichman
Thu Jan 27 11:57:38 CET 2011


Greetings,

After configuring private-address (and private-domain) entries I was hoping
that unbound would simply strip the private IP addresses from responses.
However in my testing (unbound 1.4.8 and previous versions) I'm seeing that
the queries will SERVFAIL, also for domains whose NS records point to a name
that resolves to a private address, for example:

private-address: 192.168.0.0/16
private-address: 127.0.0.1/8

$ dig smithfield.com @unbound

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22290

;; QUESTION SECTION:
;smithfield.com. IN A

;; Query time: 904 msec


$ dig @ns2.ndshq.com. smithfield.com

;; ANSWER SECTION:
smithfield.com.         38400 IN    A     72.3.245.136

;; AUTHORITY SECTION:
smithfield.com.         38400 IN    NS    ns1.ndshq.com.
smithfield.com.         38400 IN    NS    ns2.ndshq.com.
smithfield.com.         38400 IN    NS    ns0.ndshq.com.

;; ADDITIONAL SECTION:
ns0.ndshq.com.          38400 IN    A     192.168.6.11
ns1.ndshq.com.          38400 IN    A     65.173.99.98
ns2.ndshq.com.          38400 IN    A     173.50.95.13




$ dig mailfrom.com @unbound

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46581

;; QUESTION SECTION:
;mailfrom.com. IN A

;; Query time: 2442 msec


$ dig mailfrom.com @ns1.sedoparking.com.

;; ANSWER SECTION:
mailfrom.com. 86400 IN A 127.0.0.1



I'm wondering if this is expected behaviour? Should I be seeing SERVFAIL
(note long query time) or NOERROR/NODATA with private data stripped?

Thanks very much :-)

-- 
Jakub Heichman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110127/1fee5d35/attachment.html>