Hi, I can explain my use case. We have a domain "domain.tld" with 2 public authoritative servers. In this zone, there is a declaration of a delegation to the zone "in.domain.tld" like this:
------------------------------ # Records in the zone "domain.tld". type=NS name=in.domain.tld. => ns1.in.domain.tld type=NS name=in.domain.tld. => ns2.in.domain.tld # And glue records. type=A name=ns1.in.domain.tld => 172.31.100.1 type=A name=ns2.in.domain.tld => 172.31.100.2 ------------------------------ The "in" zone contains only hosts with RFC1918 IP addresses. Even the NS of this zone. It's not a problem, this zone in only for private usage in private network. So no problem if there is no DNS resolution of our "in" zone for the rest of the world, right? But now, the problem: there is Certificate Authority (CA) and the RFC8659 which tells that to deliver a certificate for www.in.domain.tld the CA must attempt these DNS requests (in this order): 1. type=CAA name=www.in.domain.tld <= timeout for CA 2. type=CAA name=in.domain.tld <= timeout for CA 3. type=CAA name=domain.tld <= OK And according to the RFC, timeout is not OK. A response is required, even empty or NXDOMAIN are OK, but not timeout. So, currently to certificate for us in the "in" zone. My idea was to change the "in" delegation and declare the "in" NS with public IP addresses. And then install unbound as "in" NS server with 2 views: 1. One "default" view where unbound is like a proxy of the real authoritative "in" NS servers. (this is my question on this post) 2. one "fake4ca" view with a local-zone for "in.domain.tld." with the type "static" and with almost no records in the zone (because even an empty response is OK for CA). This view will be enabled only for the CA which belongs to the CIDR W.X.Y.Z/24. But I have the feeling that unbound is not the good program to do that, am I wrong? Clearly, the point 2. is very easy but the point 1. seems to me not possible with unbound. But this the object of my post. Thanks. -- François Lafont
