Hi all After long time with Bind, I'm moving to NSD and Unbound for my internal DNS infra.
I'm testing it thru docker containers, one for NSD and another for unbound. I add the zone files on NSD which thru a script loads the zones and (using unbound-control) notifies the unbound service (resolver) to set the zones as stub-zones to forward to NSD. Ths is my test zone (I think quite representative): dome. 3600 IN SOA ns.dome. hostmaster.dome. 2020032501 300 120 600 86400 dome. 3600 IN NS ns.dome. emba.dome. 3600 IN NS ns.dome. ns.dome. 3600 IN A 192.168.128.128 priv.dome. 3600 IN A 10.0.0.1 priv.dome. 3600 IN TXT "Private record" pub.dome. 3600 IN A 80.0.0.1 pub.dome. 3600 IN TXT "Public record" alias.dome. 3600 IN CNAME www.gmail.com. The problem is expected: my current setup sets the RFC1918 blocks as private, so unbound is stripping the answers for the 'priv.dome': ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1876 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;priv.dome. IN A ;; AUTHORITY SECTION: dome. 3580 IN NS ns.dome. And on the logs clear states the reason: Apr 30 08:43:55 unbound[11:0] debug: sanitize: removing public name with private address <priv.dome.> 10.0.0.1#53 Obviously the records pointing to public IPs got answered correctly. The fix is to add 'dome' on unbound.conf as 'private-domain', however this requires modifying the config file and I didn't found any 'control' command to set the domain as private remotely. Is there any alternate solution/workarround? (entirely managing unbound thru unbound-control) Additionally, I read many references about unbound NOT being authoritative server, however implements many features and provide the 'auth-zones' config stuff. Could anyone which features/RFCs doesn't implement to not be considered authoritative. I meant what lacks to work as authoritative server ? Thanks much
