<html><head><style id="css_styles" type="text/css"><!--blockquote.cite { margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc }
blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; padding-top: 0px; }
a img { border: 0px; }
li[style='text-align: center;'], li[style='text-align: center; '], li[style='text-align: right;'], li[style='text-align: right; '] { list-style-position: inside;}
body { font-family: 'Segoe UI'; font-size: 12pt; }
.quote { margin-left: 1em; margin-right: 1em; border-left: 5px #ebebeb solid; padding-left: 0.3em; }
--></style></head><body><div>Thanks Steven. So, for my example scenario, I think this is the answer is the following? (please correct anything that's wrong or omitted)</div><div><br /></div><div><div id="x518e650f1288479c9b50cc1a2932cc5c"><div>(1) PUT THIS INTO THE "<span>forward.conf</span><span>" FILE:</span></div><div><span><br /></span></div><div><span>stub-zone:</span></div><div> name: "this.example.com"
</div><div> stub-addr: 127.0.0.2
</div><div><br /></div>
<div></div></div></div><div><span>(2) </span>PUT THIS INTO THE "unbound.conf" file:</div><div><br /></div><div><span>server: </span></div><div> domain-insecure: "<span>this.example.com</span><span>"</span></div><div><br /></div><div>And then restart the unbound service?</div><div><br /></div><div>Then queries to anything.<span>this.example.com would get their answers from 127.0.0.2, and DNSSEC wouldn't be checked for those - and all other queries would operate normally, without any of this applying to queries that don't end in </span><span>this.example.com</span></div><div><br /></div><div>Is that correct? If I did anything that's incorrect, or if I missed a step - please let me know. (Also, as my original post mentioned, it's important that this forwarder NOT apply to other zones!)</div><div><br /></div><div></div><div id="signature_old" style="clear:both">Rob McEwen, invaluement<div><br /></div></div><div style="clear:both"><br /></div>
<div><br /></div>
<div>
<div>------ Original Message ------</div>
<div>From "Steven Wills" <<a href="mailto:steven@wills.me">steven@wills.me</a>></div>
<div>To <a href="mailto:rob@invaluement.com">rob@invaluement.com</a></div>
<div>Date 3/27/2023 11:58:16 AM</div>
<div>Subject Re: can unbound do conditional forwarders? (and bypass DNSSEC checking for THOSE queries)</div></div><div><br /></div>
<div id="x5f74cc1ca0eb4c4"><blockquote cite="Q17XoFR9F5vhCuiaKy2FxdRDqAnfIRDi6c4hDkzv87PhIlAM65H5TouEQ-1Xx3Xx5ZXmE_Ov_F_qqOwkY2WcGMahhLXBDRvOfAkBf5Pa_w4=@wills.me" type="cite" class="cite2">
Hello,<br /><br />This may help.<br /><br /><a href="https://serverfault.com/questions/1013205/unbound-doesnt-accept-answer-from-non-dnssec-forward-rule">https://serverfault.com/questions/1013205/unbound-doesnt-accept-answer-from-non-dnssec-forward-rule</a><br /><br />There are plenty of guides to send Unblund as a forwarder. I like this one.<br /><br /><a href="https://www.redhat.com/sysadmin/forwarding-dns-2">https://www.redhat.com/sysadmin/forwarding-dns-2</a><br /><br />Best regards,<br />Steven<br /><br /><br /><br />-------- Original Message --------<br />On Mar 27, 2023, 10:45, Rob McEwen via Unbound-users < <a href="mailto:unbound-users@lists.nlnetlabs.nl">unbound-users@lists.nlnetlabs.nl</a>> wrote:<blockquote class="protonmail_quote"><br />I'm new to this list - my apologies if this is already answered.
Is there a way to do conditional forwarders in unbound? ...and bypass
DNSSEC checking for THOSE queries?
So to be clear, what I mean is being able to tell unbound to get answers
for a particular zone from a particular IP address, bypassing the
regular DNS system, but also not changing how other
zones/hostnames/domains are handled at all. (which is why this is called
a "conditional" forwarder - it only forwards under a certain
"condition")
Here's an example of how this is done in BIND:<br /><br />zone "this.example.com" IN {
type forward;
forward only;
forwarders { 127.0.0.2; };
};<br /><br />So the scenario I need this for - is in those situations where one of my
clients uses an RSYNC feed of the invaluement DNSBL, sets that up in a
locally-hosted rbldnsd instance, then they want their unbound to gets
answers ONLY for items that end with a particular hostname - directly
from the local or LAN ip that the rbldnsd instance is listening on, but
keeping all other queries in unbound the same as before.
Also - for some years - conditional forwarding to rbldnsd was broken in
latest-versions of BIND because there wasn't a way to do this in BIND
without also doing DNSSEC checking (unless DNSSEC was completely turned
off!) - and rbldnsd doesn't do DNSSEC (or at least not without some
extra effort?) - so then starting with BIND 9.13.3, BIND added their
"validate-except" option where DNSSEC checking can be turned off for
particular zones, thus enabling the conditional forwarding to rbldnsd to
work again, yet without having to turn DNSSEC completely off. (that zone
just had to be specified in the "validate-except" option)
So if unbound has a similar issue with DNSSEC being enforced on queries
forwarded to rbldnsd, is there a similar solution? Or, in unbound, is
DNSSEC compatibility when forwarding queries to rbldnsd not a problem in
the first place?
Thanks for your help with this!<br />--Rob McEwen, invaluement </blockquote><blockquote class="protonmail_quote"><br /></blockquote></blockquote></div>
</body></html>