stub-addr in unbound.conf & unbound man page wording

[Damian McGuckin]

STUB-ADDR (of unbound.conf): 127.0.0.1@PORT (fails)
---------------------------------------------------
I can run NSD on port 8053 on the interface 127.0.0.1 for a domain say

        turkeys.com.au

I can then query hat externally (with 'pf' doing an 'rdr' from some 
external IP 'rdr'd to 'lo0') and it works.

But if I run 'unbound' on port 53 the same machine as that NSD and then 
have a 'stub-zone' in my unbound.conf specified as

        stub-addr: 127.0.0.1@8053

then a 'dig' or 'nslookup' fails even though I can get to port 8053 on 
127.0.0.1.

But, if I then run NSD on the IP of a real interface, i.e. not 'lo', and 
then use that IP as the stub-addr, it works.

Why cannot unbound query NSD on 127.0.0,1 when other people (from the 
outside) can get through to it. Basically, why doesn't 127.0.0.1 work as a 
stub-addr?

There is some mention in the Changelogs of 2008 that this is working.

The ideas of digging through the source code (to find out why it now does
not) really does not enthuse me.

Also, where one has a 'forward-zone' of "." on a machine where there is an 
running NSD controlling several zones, say A, B and C, should one have a 
separate forward-zone for those 3 zones which can be satisfied locally 
rather than having them go out to some global 'catch-all' forwarder if a
name is not in the case.

UNBOUND.CONF: Wording of man page
---------------------------------

I had a look at the English in the unbound man page talking about 
forward-first.

        If enabled, a query is attempted without the forward clause if it
        fails.

Does this mean that

        If enabled, and if a query fails to all the forward-addr hosts,
        that same query is re-attempted without the forward clause.

I assume that means that the query is reattempted locally which I guess 
would only mean going to stub-zones.

The second sentence says

        The data could not be retrieved and would have caused SERVFAIL
        because the servers are unreachable, instead it is tried without
        this clause.

Does that mean that

        This situation happens when data could not be retrieved because
        the servers are unreachable. While normally, this would cause a
        SERVFAIL, instead the error is ignored the request is retried
        without forwarding active, i.e. it is retried locally.

Regards - Damian

Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer