Adding root servers as local secondary zone to local caching server

Jaap Akkerhuis jaap at NLnetLabs.nl
Thu Sep 9 13:08:57 UTC 2021 

 Charles Sharp via Unbound-users writes:

 > Thanks Jaap, but I do have a follow-up since no one responded to my last
 > question about root hints vs forwarders.
 >
 > My understanding was that you can use either/or.

I'm afraid you seem to misunderstand. You don't need to choose
between root hints or forwarders. Root hints are always used for
bootstrapping.

 >
 > Meaning, if you use root hints, you don't need to use forwarders, but
 > more importantly, if you use forwarders, then the root hints _*are not
 > used*_.

The root hints (either supplied or specified in the configuration
file) don't play a role while resolving a name. They are solely
used during bootstrapping the server.

Forwarders are actually not needed. Remember that Unbound is a
validating, recursive, caching DNS resolver.  So if you send a query
to a unbound, it will try to resolve (recursively) the name, provide
the answer and stores the answer in the cache so it can answer
directly from the cache the next time it is queried for the same
information.

Forwarder clauses specifies that unbound doesn't need to do the
resolving part itself but to just ask another server. So it "forwards"
the query. It then returns received information and stores that in
the cache for possible later use.

Let me cite the the (more precise) description from the
unbound-configuration manual:

> Forward Zone Options
>        There may be multiple forward-zone: clauses. Each with a name: and zero
>        or more hostnames or IP addresses.  For the forward zone this  list  of
>        nameservers  is  used  to forward the queries to. The servers listed as
>        forward-host: and forward-addr: have to handle  further  recursion  for
>        the  query.   Thus,  those  servers  are not authority servers, but are
>        (just like unbound is) recursive servers too; unbound does not  perform
>        recursion itself for the forward zone, it lets the remote server do it.
>        Class IN is assumed.  CNAMEs are chased by unbound itself,  asking  the
>        remote  server  for every name in the indirection chain, to protect the
>        local cache from illegal indirect referenced items.  A forward-zone en-
>        try with name "." and a forward-addr target will forward all queries to
>        that other server (unless it can answer from the cache).

So note that using forwarders is a choice by the operator of the
unbound server. It is not required for running unbound.

 > So... is this true? Or can you expound on this?

I hope my explanation helps.

Regards,

	jaap

More information about the Unbound-users mailing list