Hi Freya, On 8/13/19 10:10 AM, Freya Kalin via Unbound-users wrote: > Hello unbound-users, > > I am tackling with a problem where I want Unbound to be an authoritative > nameserver for a zone, but only for specific records. > > There is a public domain registered by somebody on the Internet. Let's > say "example.com". > > I need my Unbound server to be partially authoritative for the zone > "example.com" for my internal client servers. > > I want Unbound to serve the following records to my internal client > servers whenever they ask for them.
This task is not for the auth-zone feature, that serves entire zones authoritatively, or caches them for local look up. The local-zone feature does what you want. You can register a list of names, and records, and those are applied to answers, but not certain other answers. Declare local-zone entries for the pieces you want covered. There is a lot of choice here, depending on what you want the processing to do. The transparent zone mixes per name, the names you give local-data for get answers from local-data, the others from the upstream look ups. There is also a local-zone type for per-RR-type mix, and other options, like logging. You can nest local-zones, eg. if you want nxdomains for a set of names, declare a local-zone static for that. It looks up the closest localzone and uses the type of that. Then list the data as local-data statements. Just copy the records in local-data quotes. If the records in the zonefile are relative (eg. not the full names), make them full names, for example by filtering the file with ldns-read-zone (and maybe also sort and canonicalize it, but it them has full names). And then put it line by line into local-data statemenets. And have a local-zone entry for the zone, type transparent is I think the one you want. Unless you want nxdomains, or denials or non-denials but upstream lookups of specific names and records. It is possible to put the result into a file and then include: "filename" that file into the unbound.conf just to make it easier to update, or script. Best regards, Wouter > > > * test1.example.com. A 192.168.0.1 > * test2.example.com. A 192.168.0.2 > * test3.example.com. A 192.168.0.3 > > > Whenever a query arrives for a different record (Let's say > "www.example.com") then I want Unbound to do the normal DNS recursive > resolving process on the Internet. > > I want to do this via the auth-zone section in Unbound because I already > have the "example.com" zone on an NSD Authoritative DNS server. I > successfully perform a zone transfer between Unbound and NSD for this > particular zone and Unbound has those 3 records and provides answers for > them. However, whenever I try to query it for "www.example.com" it > doesn't want to do the normal DNS recursive resolving process on the > Internet and doesn't return an answer. > > auth-zone: > name: example.com > master: <<My_Master>> > allow-notify: <<My_Master>> > fallback-enabled: yes > for-downstream: no > for-upstream: yes > > I tried all combinations of > (fallback-enabled,for-downstream,for-upstream) and none of them work. > > Any ideas ? > > OS: CentOS 7.6 > > Unbound version: 1.9.0
signature.asc
Description: OpenPGP digital signature
