2 auth zones: cname expansion?
Tuomo Soini
tis at foobar.fi
Mon Feb 14 12:51:57 UTC 2022
On Mon, 14 Feb 2022 12:34:53 +0300
Michael Tokarev via Unbound-users <unbound-users at lists.nlnetlabs.nl>
wrote:
> > I've 2 auth-zones with unbound, and one points to another
> > with CNAMe. This doesn't work, unbound only return the
> > CNAME itself, not including the A record of the CNAME target.
> > When the second zone is forward zone, it returns both records.
> >
> > ie,
> >
> > a.example.net cname a.example.com
> > a.example.com a 127.0.0.1
> And ofc. I mixed them up. When the FIRST zone, with the CNAME,
> is auth-zone, there's no recurseve CNAME expanison. In this
> case, if example.NET is auth-zone, it doesn't work, but if
> example.NET is forward zone, it works.
>
> > It it a bug or a feature? :)
I think those two are actually same, a bug and a feature. This also happens
if you have two auth zones and one has cname pointing at other.
Work-around is quite complicated. It require you to not run
auth-zones as you do now, you need to use cache for auth zone for this
to work. So this only works if you configure like this:
auth-zone:
name: "example.net"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
primary: 192.168.1.1
zonefile /var/lib/unbound/example.net
stub-zone:
name: "example.net"
stub-addr: 192.168.1.1
And No, I don't like that but that is the way to make it work. Now
problem is that auth-zone updates are not immediate, ttl of record must
first expire before it is updated in cache. Check documentation of
auth-zone and for-downstream and for-upstream options.
And you actually need stub-addr too to make sure there won't be cache
poisoning from net zone with NXDOMAIN.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Unbound-users
mailing list