Hashicorp consul dns API and DNSSEC (newb)

Sergei Gerasenko gerases at gmail.com
Wed Oct 24 02:52:49 UTC 2018


I’m kind of stuck with this problem. Hashicorp's consul doesn’t support DNSSEC and as such, I can’t forward from my main bind instance (DNSSEC enabled) to the consul daemon directly. I can’t turn off DNSSEC in the bind instance either.

Instead, my naive plan is to:
Instruct bind to forward requests for the consul domain to unbound. They can use DNSSEC for this step.
Once unbound receives the request from bind, instruct unbound to forward it further to consul (no DNSSEC).
Retrieve the answer from consul and give it back to bind.

Basically, I want to hide a DNS server (consul) that can’t speak DNSSEC behind unbound.

Is that possible?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181023/088dba7b/attachment.htm>

More information about the Unbound-users mailing list