Unbound Partial Authority of Zone

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Aug 13 08:28:51 UTC 2019

Hi Freya,

On 8/13/19 10:10 AM, Freya Kalin via Unbound-users wrote:
> Hello unbound-users,
> I am tackling with a problem where I want Unbound to be an authoritative
> nameserver for a zone, but only for specific records.
> There is a public domain registered by somebody on the Internet. Let's
> say "example.com".
> I need my Unbound server to be partially authoritative for the zone
> "example.com" for my internal client servers.
> I want Unbound to serve the following records to my internal client
> servers whenever they ask for them.

This task is not for the auth-zone feature, that serves entire zones
authoritatively, or caches them for local look up.  The local-zone
feature does what you want.  You can register a list of names, and
records, and those are applied to answers, but not certain other answers.

Declare local-zone entries for the pieces you want covered.  There is a
lot of choice here, depending on what you want the processing to do.
The transparent zone mixes per name, the names you give local-data for
get answers from local-data, the others from the upstream look ups.
There is also a local-zone type for per-RR-type mix, and other options,
like logging.

You can nest local-zones, eg. if you want nxdomains for a set of names,
declare a local-zone static for that.  It looks up the closest localzone
and uses the type of that.

Then list the data as local-data statements.  Just copy the records in
local-data quotes.  If the records in the zonefile are relative (eg. not
the full names), make them full names, for example by filtering the file
with ldns-read-zone (and maybe also sort and canonicalize it, but it
them has full names).  And then put it line by line into local-data
statemenets.  And have a local-zone entry for the zone, type transparent
is I think the one you want.  Unless you want nxdomains, or denials or
non-denials but upstream lookups of specific names and records.

It is possible to put the result into a file and then include:
"filename" that file into the unbound.conf just to make it easier to
update, or script.

Best regards, Wouter

>   * test1.example.com. A
>   * test2.example.com. A
>   * test3.example.com. A
> Whenever a query arrives for a different record (Let's say
> "www.example.com") then I want Unbound to do the normal DNS recursive
> resolving process on the Internet.
> I want to do this via the auth-zone section in Unbound because I already
> have the "example.com" zone on an NSD Authoritative DNS server. I
> successfully perform a zone transfer between Unbound and NSD for this
> particular zone and Unbound has those 3 records and provides answers for
> them. However, whenever I try to query it for "www.example.com" it
> doesn't want to do the normal DNS recursive resolving process on the
> Internet and doesn't return an answer.
> auth-zone:
>    name: example.com
>    master: <<My_Master>>
>    allow-notify: <<My_Master>>
>    fallback-enabled: yes
>    for-downstream: no
>    for-upstream: yes
> I tried all combinations of
> (fallback-enabled,for-downstream,for-upstream) and none of them work.
> Any ideas ?
> OS: CentOS 7.6
> Unbound version: 1.9.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190813/c342db67/attachment.bin>

More information about the Unbound-users mailing list