It sort of seems this should be only done on runtime, because the source
of those DNSBL is not under your control.
I would use:
unbound-control forward_add +i this.example.com 127.0.0.2
This does redirection of selected name into local daemon. Disabling also
dnssec validation (+i) on that name. You would need some script pushing
those rules into unbound after it started, because it would forget them
on restart. If you have list of affected domains, it may save you
generating config file snippet for unbound. That is actually amazing
advantage of unbound. It can do quite a lot things runtime from
unbound-control. In config you would have to generate insecure zone and
forward definition separately AFAIK.
On 3/27/23 17:45, Rob McEwen via Unbound-users wrote:
I'm new to this list - my apologies if this is already answered.
Is there a way to do conditional forwarders in unbound? ...and bypass
DNSSEC checking for THOSE queries?
So to be clear, what I mean is being able to tell unbound to get
answers for a particular zone from a particular IP address, bypassing
the regular DNS system, but also not changing how other
zones/hostnames/domains are handled at all. (which is why this is
called a "conditional" forwarder - it only forwards under a certain
"condition")
Here's an example of how this is done in BIND:
zone "this.example.com" IN {
type forward;
forward only;
forwarders { 127.0.0.2; };
};
So the scenario I need this for - is in those situations where one of
my clients uses an RSYNC feed of the invaluement DNSBL, sets that up
in a locally-hosted rbldnsd instance, then they want their unbound to
gets answers ONLY for items that end with a particular hostname -
directly from the local or LAN ip that the rbldnsd instance is
listening on, but keeping all other queries in unbound the same as
before.
Also - for some years - conditional forwarding to rbldnsd was broken
in latest-versions of BIND because there wasn't a way to do this in
BIND without also doing DNSSEC checking (unless DNSSEC was completely
turned off!) - and rbldnsd doesn't do DNSSEC (or at least not without
some extra effort?) - so then starting with BIND 9.13.3, BIND added
their "validate-except" option where DNSSEC checking can be turned off
for particular zones, thus enabling the conditional forwarding to
rbldnsd to work again, yet without having to turn DNSSEC completely
off. (that zone just had to be specified in the "validate-except" option)
So if unbound has a similar issue with DNSSEC being enforced on
queries forwarded to rbldnsd, is there a similar solution? Or, in
unbound, is DNSSEC compatibility when forwarding queries to rbldnsd
not a problem in the first place?
Thanks for your help with this!
Rob McEwen, invaluement
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
