unbound.conf is used to configure Unbound, a caching DNS resolver. The documentation of version 1.6.8 says:
Server Options
private-domain: <domain name>
Allow this domain, and all its subdomains to contain private
addresses. Give multiple times to allow multiple domain names
to contain private addresses. Default is none.
We run unbound Version 1.6.0 with Debian Stretch (manpage and cited documentation do not differ here).
We have tested the following three variants separated by
- editing
/etc/unbound/unbound.conf - checking
unbound-checkconf - restarting
systemctl restart unbound.service - monitoring the unbound logfile.
Variant 1 (ending in a dot):
private-domain: domain.example.
Variant 2 (not ending in a dot):
private-domain: domain.example
Variant 3 (in given order):
private-domain: "domain.example. domain.example"
For all three variants unbound-checkconf returns:
unbound-checkconf: no errors in /etc/unbound/unbound.conf
At variant 3 we find in the logfile:
debug: ignoring duplicate private-domain: domain.example.
Makes sense, because one entry for the same domain name has to be sufficient and it seems to verify that unbound has an identical handling for both ways of writing the domain names (with/without dot).
Both ways are working, but what is the correct syntax to define private domain names in unbound? Should domain names end in a dot, or not? Is the dot at the end useful or meaningless? What implications could a needless or a missing dot have?
