providing CNAMEs for local data

Renaud Allard renaud at allard.it
Wed Nov 23 07:08:35 UTC 2022 


On 11/22/22 15:45, Michael Tokarev wrote:
> 22.11.2022 16:53, Renaud Allard via Unbound-users wrote:
>>>> On 22. 11. 22 13:27, Michael Tokarev via Unbound-users wrote:
>>>>> For example, we've a domain and a few geographically-spread
>>>>> offices, each office is supposed to have its own proxy, email
>>>>> server, file server and stuff like that.  This is also an
>>>>> AD DC domain.  I thought about a single domain zone and local
>>>>> overrides for certain commonly used names. But once again
>>>>> faced this issue with unbound who is unable to resolve
>>>>> (expand) CNAMEs in local-data or somesuch.
> 
>> Did you try with RPZ instead of using local-data inside the config 
>> file? Both methods don't give exactly the same results with CNAMEs.
>> Also, don't forget that you cannot put a CNAME on top of a zone.
> 
> I've never come across RPZ before, haven't heard of it.
> 
> But I'm not sure what do you mean here.  How is it possible
> to use RPZ for this task, to override a name with an (expanded)
> CNAME?
> 
> For example, in example.com domain I want to add an "fs" CNAME
> record pointing to foo.example.com.  How would I do that with
> RPZ?
> 
> That should be a qname trigger, but I'm lost for now about the action.
> 
> rpz:
>   name: "example.com" # arbitrary?
>   zonefile: "example.com.rpz"
>   rpz-action-override: cname
>   rpz-cname-override: "foo.example.com."
> 
> with example.com.rpz containing:
> 
>   fs.example.com. CNAME rpz-drop.
> 
> ?
> 

The zone needs to be a properly formatted zone with SOA and NS records.

localrpz.example.com. 3600 IN SOA elrond.arnor.org. maintainer.mail.com. 
2022112113 60 60 432000 60
localrpz.example.com.     3600    IN      NS      localhost.
fs.example.com  3600	IN CNAME foo.example.com.
fs2.microsoft.com 3600 IN CNAME somewhereelse.mydomain.com.

Notice the absence of a dot after the first term. You can also put it in 
full, but that's less readable IMO.
You can put as many RPZ as you want, but one might be enough as you can 
put multiple domains data inside

config would look like this in nsd.
zone:
         name: "localrpz.example.com"
         zonefile: "rpz/localrpz.example.com"
         provide-xfr: 192.0.2.1 NOKEY

And in inbound
rpz:
         name: localrpz.example.com
         zonefile: /var/unbound/db/localrpz.example.com
         allow-notify: 192.0.2.20
         master: 192.0.2.20



> And if I want to configure another such name, I'll have to
> create another rpz zonefile and another rpz section?
> 
> Lemme try...  hmm, immediately this file (rpz) has been overwritten,
> with contents of example.com zone.  It looks like I don't see how
> this works, and why it removed the data I've put there.
> 
> Or does this need another indirection, to configure this "rpz zone"
> on some other primary? And to serve different contents to different
> sites, I'll have to configure SEVERAL primaries?
> 
> Or am I out of track completely?
> 
> I'll try to configure this one test zone in nsd.  But this whole
> thing quickly becomes unmanageable...
> 
> 
> Thanks,
> 
> /mjt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4484 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20221123/db8823ab/attachment.bin>

More information about the Unbound-users mailing list