Hi Freya,
On 8/13/19 10:10 AM, Freya Kalin via Unbound-users wrote:Hello unbound-users,
I am tackling with a problem where I want Unbound to be an authoritative
nameserver for a zone, but only for specific records.
There is a public domain registered by somebody on the Internet. Let's
say "example.com".
I need my Unbound server to be partially authoritative for the zone
"example.com" for my internal client servers.
I want Unbound to serve the following records to my internal client
servers whenever they ask for them.
This task is not for the auth-zone feature, that serves entire zones
authoritatively, or caches them for local look up. The local-zone
feature does what you want. You can register a list of names, and
records, and those are applied to answers, but not certain other answers.
Declare local-zone entries for the pieces you want covered. There is a
lot of choice here, depending on what you want the processing to do.
The transparent zone mixes per name, the names you give local-data for
get answers from local-data, the others from the upstream look ups.
There is also a local-zone type for per-RR-type mix, and other options,
like logging.
You can nest local-zones, eg. if you want nxdomains for a set of names,
declare a local-zone static for that. It looks up the closest localzone
and uses the type of that.
Then list the data as local-data statements. Just copy the records in
local-data quotes. If the records in the zonefile are relative (eg. not
the full names), make them full names, for example by filtering the file
with ldns-read-zone (and maybe also sort and canonicalize it, but it
them has full names). And then put it line by line into local-data
statemenets. And have a local-zone entry for the zone, type transparent
is I think the one you want. Unless you want nxdomains, or denials or
non-denials but upstream lookups of specific names and records.
It is possible to put the result into a file and then include:
"filename" that file into the unbound.conf just to make it easier to
update, or script.
Best regards, Wouter
* test1.example.com. A 192.168.0.1
* test2.example.com. A 192.168.0.2
* test3.example.com. A 192.168.0.3
Whenever a query arrives for a different record (Let's say
"www.example.com") then I want Unbound to do the normal DNS recursive
resolving process on the Internet.
I want to do this via the auth-zone section in Unbound because I already
have the "example.com" zone on an NSD Authoritative DNS server. I
successfully perform a zone transfer between Unbound and NSD for this
particular zone and Unbound has those 3 records and provides answers for
them. However, whenever I try to query it for "www.example.com" it
doesn't want to do the normal DNS recursive resolving process on the
Internet and doesn't return an answer.
auth-zone:
name: example.com
master: <<My_Master>>
allow-notify: <<My_Master>>
fallback-enabled: yes
for-downstream: no
for-upstream: yes
I tried all combinations of
(fallback-enabled,for-downstream,for-upstream) and none of them work.
Any ideas ?
OS: CentOS 7.6
Unbound version: 1.9.0
Hi Wouter,
Thank you for taking the time to reply to my question.
From my tests, it seems that the local-data solution works well, even in the situation where I want Unbound to be authoritative for some DNS records and to forward all other queries (with a different name that belong to the same zone) to a conditional forwarder.
In my opinion, it would've been nice if Unbound was able to acquire local-data statements automatically via zone transfers.
This way, administrators wouldn't need to generate and maintain a file specifically for Unbound and reload Unbound each time a new local-data entry was added to the file.
local-data entries seem to be identical in syntax to record entries in zone files.
Kind regards
13.08.2019, 10:29, "Wouter Wijngaards via Unbound-users" <[email protected]>:
- Unbound Partial Authority of Zone Freya Kalin via Unbound-users
- Re: Unbound Partial Authority of ... Wouter Wijngaards via Unbound-users
- Re: Unbound Partial Authority... Freya Kalin via Unbound-users
