Problem with undead upstrems

Florian Streibelt unboundlst at
Tue Feb 28 12:17:17 UTC 2023

Am 2023-02-28 11:02, schrieb George (Yorgos) Thessalonikefs via 

>> Perhaps you can try a local override, eg:
>> local-zone: <your-parentzone> ds always_nxdomain
>> local-zone: <your-customerzone> ds always_nxdomain
>> But I don't really know if that will work.
> What could work would be:
> 	local-zone: <your-parentzone> typetransparent
> 	local-data: "<your-customerzone> IN DS <ds-data>"
> 	domain-insecure: <your-customerzone>
> These are DS answers to the clients.
> You would need to provide fake DS data though, not sure if that is
> desirable and how that would break the clients that ask for it.
> If the zones do not do DNSSEC in the first place (so there is no chain
> to break) you could try that.

Something like that looks exactly like what I need/could abuse for that.

DNSSEC with that domain(s) probably is broken anyway, and returning 
NODATA would be sufficient here.

I really hate manually keeping track of these domains but nobody seems 
to be able to fix it and its hard to explain that using any of the open 
resolvers the domains work, only when using our resolvers it breaks.

Thanks for the help!

>> Another option might be to run an unbound instance with 
>> val-permissive-mode=yes
>> and then on your regular resolver, use a forward-zone: for your
>> parentzone and customer zone to that unbound instance.

The problem is that "something" at our customer is explicitely creating 
these DS queries.

Again thanks for all the help and effort trying to understand my 

I'll try to reply if the solution works.


More information about the Unbound-users mailing list