Problem with undead upstrems
Florian Streibelt
unboundlst at streibelt.net
Tue Feb 28 12:17:17 UTC 2023
Am 2023-02-28 11:02, schrieb George (Yorgos) Thessalonikefs via
Unbound-users:
>> Perhaps you can try a local override, eg:
>>
>>
>> local-zone: <your-parentzone> ds always_nxdomain
>> local-zone: <your-customerzone> ds always_nxdomain
>>
>> But I don't really know if that will work.
> What could work would be:
> local-zone: <your-parentzone> typetransparent
> local-data: "<your-customerzone> IN DS <ds-data>"
> domain-insecure: <your-customerzone>
>
> These are DS answers to the clients.
> You would need to provide fake DS data though, not sure if that is
> desirable and how that would break the clients that ask for it.
> If the zones do not do DNSSEC in the first place (so there is no chain
> to break) you could try that.
>
Something like that looks exactly like what I need/could abuse for that.
DNSSEC with that domain(s) probably is broken anyway, and returning
NODATA would be sufficient here.
I really hate manually keeping track of these domains but nobody seems
to be able to fix it and its hard to explain that using any of the open
resolvers the domains work, only when using our resolvers it breaks.
Thanks for the help!
>>
>> Another option might be to run an unbound instance with
>> val-permissive-mode=yes
>> and then on your regular resolver, use a forward-zone: for your
>> parentzone and customer zone to that unbound instance.
The problem is that "something" at our customer is explicitely creating
these DS queries.
Again thanks for all the help and effort trying to understand my
problem.
I'll try to reply if the solution works.
Florian
More information about the Unbound-users
mailing list