in order to make rbldnsd as rhsbl authoritative nameserver for unbound, the simple way is to create stub-zone like this:
stub-zone: name: "rhsbl.example.com." stub-addr: 172.18.1.1@530
if we configured unbound as iterator and validator, this minimal configuration will not work. when you query for example:
# dig blacklisted.domain.com.rhsbl.example.com
we will get “SERVFAIL” replied.
the simple way is by turned off validator function in unbound, but if we still want validator function in unbound, we can simply exclude our rhsbl zone in stub-zone as insecure domain.
now, we wlll get reply as expected
# dig blacklisted.domain.com.rhsbl.example.com +short 127.0.0.2
and in rbldnsd start up config
RBLDNSD="dsbl -r/var/lib/rbldnsd -t 300 -b 172.18.1.1/530 rhsbl.example.com:dnset:hosts"
happy blacklisting 😀
combined with checkdbl.pl script here: http://www.kutukupret.com/2010/12/03/postfix-header_checks-using-tcp_table-and-checkdbl-pl-script/ we can use it as header_checks map. here’s the result:
May 25 19:11:31 mx1 postfix/cleanup: 68A203080DD: reject: header From: Dominic McXXX <McXXX@domainspammer.com> from sub.domainspammer.com[xxx.xxx.xxx.xx]; from=<McXXX@domainspammer.com> to=<email@example.com> proto=ESMTP helo=<spammer>: 5.7.1 domainspammer.com, which appears in the 'From' header, is listed on rhsbl.example.com