Unbound Partial Authority of Zone
Wouter Wijngaards
wouter at nlnetlabs.nl
Tue Aug 13 08:28:51 UTC 2019
Hi Freya,
On 8/13/19 10:10 AM, Freya Kalin via Unbound-users wrote:
> Hello unbound-users,
>
> I am tackling with a problem where I want Unbound to be an authoritative
> nameserver for a zone, but only for specific records.
>
> There is a public domain registered by somebody on the Internet. Let's
> say "example.com".
>
> I need my Unbound server to be partially authoritative for the zone
> "example.com" for my internal client servers.
>
> I want Unbound to serve the following records to my internal client
> servers whenever they ask for them.
This task is not for the auth-zone feature, that serves entire zones
authoritatively, or caches them for local look up. The local-zone
feature does what you want. You can register a list of names, and
records, and those are applied to answers, but not certain other answers.
Declare local-zone entries for the pieces you want covered. There is a
lot of choice here, depending on what you want the processing to do.
The transparent zone mixes per name, the names you give local-data for
get answers from local-data, the others from the upstream look ups.
There is also a local-zone type for per-RR-type mix, and other options,
like logging.
You can nest local-zones, eg. if you want nxdomains for a set of names,
declare a local-zone static for that. It looks up the closest localzone
and uses the type of that.
Then list the data as local-data statements. Just copy the records in
local-data quotes. If the records in the zonefile are relative (eg. not
the full names), make them full names, for example by filtering the file
with ldns-read-zone (and maybe also sort and canonicalize it, but it
them has full names). And then put it line by line into local-data
statemenets. And have a local-zone entry for the zone, type transparent
is I think the one you want. Unless you want nxdomains, or denials or
non-denials but upstream lookups of specific names and records.
It is possible to put the result into a file and then include:
"filename" that file into the unbound.conf just to make it easier to
update, or script.
Best regards, Wouter
>
>
> * test1.example.com. A 192.168.0.1
> * test2.example.com. A 192.168.0.2
> * test3.example.com. A 192.168.0.3
>
>
> Whenever a query arrives for a different record (Let's say
> "www.example.com") then I want Unbound to do the normal DNS recursive
> resolving process on the Internet.
>
> I want to do this via the auth-zone section in Unbound because I already
> have the "example.com" zone on an NSD Authoritative DNS server. I
> successfully perform a zone transfer between Unbound and NSD for this
> particular zone and Unbound has those 3 records and provides answers for
> them. However, whenever I try to query it for "www.example.com" it
> doesn't want to do the normal DNS recursive resolving process on the
> Internet and doesn't return an answer.
>
> auth-zone:
> name: example.com
> master: <<My_Master>>
> allow-notify: <<My_Master>>
> fallback-enabled: yes
> for-downstream: no
> for-upstream: yes
>
> I tried all combinations of
> (fallback-enabled,for-downstream,for-upstream) and none of them work.
>
> Any ideas ?
>
> OS: CentOS 7.6
>
> Unbound version: 1.9.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190813/c342db67/attachment.bin>
More information about the Unbound-users
mailing list