2 auth zones: cname expansion?

Tuomo Soini tis at foobar.fi
Mon Feb 14 12:51:57 UTC 2022


On Mon, 14 Feb 2022 12:34:53 +0300
Michael Tokarev via Unbound-users <unbound-users at lists.nlnetlabs.nl>
wrote:

> > I've 2 auth-zones with unbound, and one points to another
> > with CNAMe. This doesn't work, unbound only return the
> > CNAME itself, not including the A record of the CNAME target.
> > When the second zone is forward zone, it returns both records.
> > 
> > ie,
> > 
> >   a.example.net cname a.example.com
> >   a.example.com a 127.0.0.1

> And ofc. I mixed them up. When the FIRST zone, with the CNAME,
> is auth-zone, there's no recurseve CNAME expanison.  In this
> case, if example.NET is auth-zone, it doesn't work, but if
> example.NET is forward zone, it works.
> 
> > It it a bug or a feature? :)

I think those two are actually same, a bug and a feature. This also happens
if you have two auth zones and one has cname pointing at other.

Work-around is quite complicated. It require you to not run
auth-zones as you do now, you need to use cache for auth zone for this
to work. So this only works if you configure like this:

auth-zone:
        name: "example.net"
        fallback-enabled: yes
        for-downstream: no
        for-upstream: yes
        primary: 192.168.1.1
        zonefile /var/lib/unbound/example.net

stub-zone:
        name: "example.net"
        stub-addr: 192.168.1.1

And No, I don't like that but that is the way to make it work. Now
problem is that auth-zone updates are not immediate, ttl of record must
first expire before it is updated in cache. Check documentation of
auth-zone and for-downstream and for-upstream options.

And you actually need stub-addr too to make sure there won't be cache
poisoning from net zone with NXDOMAIN.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>


More information about the Unbound-users mailing list