Hi Roman, That can work if you configure Unbound with 'domain-insecure: "mydomain.org"' (courtesy of Wouter, please test, I'm not very knowledgeable when it comes to Unbound), but it will indeed break DNSSEC.
To make DNSSEC work, you will have to sign the zone twice and host a second copy (NSD or Unbound auth-zone). BIND offers something called a view, but even then you will need actual separate zones. I cannot think of a more convenient to achieve what you want and keep DNSSEC intact, but others may have suggestions(?) - Jeroen On Fri, 2023-09-01 at 13:16 +0200, Roman Serbski via nsd-users wrote: > Hello, > > NSD 4.7.0 running on FreeBSD 13.X and serving DNSSEC signed zone (say > mydomain.org) to the world. > > I've been approached by a customer with the request to include > certain > records into mydomain.org zone which will be resolvable only from > their premises. > > I'm thinking to setup a pair of unbound instances, ask the customer > to > configure conditional forwarding for mydomain.org to those unbound > instances, and serve requested records by unbound, while the rest of > the zone will be handled by NSD. > > I think this will break DNSSEC for them -- do you think this is the > right approach? Any ideas would be very much appreciated. > > Thank you. > _______________________________________________ > nsd-users mailing list > nsd-users@lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users _______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
