Thanks Steven. So, for my example scenario, I think this is the answer
is the following? (please correct anything that's wrong or omitted)
(1) PUT THIS INTO THE "forward.conf" FILE:
stub-zone:
name: "this.example.com"
stub-addr: 127.0.0.2
(2) PUT THIS INTO THE "unbound.conf" file:
server:
domain-insecure: "this.example.com"
And then restart the unbound service?
Then queries to anything.this.example.com would get their answers from
127.0.0.2, and DNSSEC wouldn't be checked for those - and all other
queries would operate normally, without any of this applying to queries
that don't end in this.example.com
Is that correct? If I did anything that's incorrect, or if I missed a
step - please let me know. (Also, as my original post mentioned, it's
important that this forwarder NOT apply to other zones!)
Rob McEwen, invaluement
------ Original Message ------
From "Steven Wills" <[email protected]>
To [email protected]
Date 3/27/2023 11:58:16 AM
Subject Re: can unbound do conditional forwarders? (and bypass DNSSEC
checking for THOSE queries)
Hello,
This may help.
https://serverfault.com/questions/1013205/unbound-doesnt-accept-answer-from-non-dnssec-forward-rule
There are plenty of guides to send Unblund as a forwarder. I like this
one.
https://www.redhat.com/sysadmin/forwarding-dns-2
Best regards,
Steven
-------- Original Message --------
On Mar 27, 2023, 10:45, Rob McEwen via Unbound-users <
[email protected]> wrote:
I'm new to this list - my apologies if this is already answered. Is
there a way to do conditional forwarders in unbound? ...and bypass
DNSSEC checking for THOSE queries? So to be clear, what I mean is
being able to tell unbound to get answers for a particular zone from a
particular IP address, bypassing the regular DNS system, but also not
changing how other zones/hostnames/domains are handled at all. (which
is why this is called a "conditional" forwarder - it only forwards
under a certain "condition") Here's an example of how this is done in
BIND:
zone "this.example.com" IN { type forward; forward only; forwarders {
127.0.0.2; }; };
So the scenario I need this for - is in those situations where one of
my clients uses an RSYNC feed of the invaluement DNSBL, sets that up
in a locally-hosted rbldnsd instance, then they want their unbound to
gets answers ONLY for items that end with a particular hostname -
directly from the local or LAN ip that the rbldnsd instance is
listening on, but keeping all other queries in unbound the same as
before. Also - for some years - conditional forwarding to rbldnsd was
broken in latest-versions of BIND because there wasn't a way to do
this in BIND without also doing DNSSEC checking (unless DNSSEC was
completely turned off!) - and rbldnsd doesn't do DNSSEC (or at least
not without some extra effort?) - so then starting with BIND 9.13.3,
BIND added their "validate-except" option where DNSSEC checking can be
turned off for particular zones, thus enabling the conditional
forwarding to rbldnsd to work again, yet without having to turn DNSSEC
completely off. (that zone just had to be specified in the
"validate-except" option) So if unbound has a similar issue with
DNSSEC being enforced on queries forwarded to rbldnsd, is there a
similar solution? Or, in unbound, is DNSSEC compatibility when
forwarding queries to rbldnsd not a problem in the first place? Thanks
for your help with this!
--Rob McEwen, invaluement
