Hi!When working on dnsconfd, we have uncovered a problem configuration of forwarding via unbound-control. If we try to use unbound-control explicitly, there does not seem to be a way to tell unbound to not use root hints.
I can configure forwarding when starting unbound via configuration file and use forward-first: no. The problem is I cannot do the same, if unbound should be started before we know exact forwarders to use. For example I want to serve localhost and built-in authoritative zones, but until I know forwarder address and possible TLS status of it, I cannot configure forwarder at startup.
I have found there is a trick to make queries to outer hosts fail, until forwarders are configured.
forward-zone: name: "." forward-first: noProblem is, after I use "unbound-control forward 192.0.2.53", followed by "unbound-control forward off", root hints are used back again. It does not seem to be possible to return back to original configuration. Not by simple reuse of unbound-control forward, at least. Or is there?
Is there some other way in latest unbound releases, how to tell unbound to use only forwarders configured or fail always?
I have tried this on unbound-1.19.0, but I expect that has not changed since then.
This behavior is needed to use only some trusted protective DNS service, which might have applied some protective query filter (RPZ) applied. Therefore iteration from root is not acceptable, as it could circumvent such filter. Most likely something with TLS authentication endpoint.
Regards, Petr Menšík -- Petr Menšík Software Engineer, RHEL Red Hat, http://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
OpenPGP_0x4931CA5B6C9FC5CB.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
