Can we finally agree unbound does not work with local data or zones?
Michael Tokarev
mjt at tls.msk.ru
Tue Jun 27 10:56:45 UTC 2023
27.06.2023 01:25, Tuomo Soini wrote:
> On Mon, 26 Jun 2023 18:35:50 +0300
> Michael Tokarev via Unbound-users <unbound-users at lists.nlnetlabs.nl>
> wrote:
>
>> Hello!
>>
>> I asked this question maybe 3 times in the past but the answer has
>> always been about something else.
>>
>> The problem is that unbound does not work with any local data which
>> contains CNAME records, no matter if it is local-data: or auth-zone:
>> or anything else like this: once unbound hits CNAME, it does not
>> expand it, so the client receives an answer which it can't handle.
>
> It only works like you want if you use cache between clients and your
> zone like this. Important thing here is "for-downstream: no".
>
> auth-zone:
> name: "example.com"
> fallback-enabled: yes
> for-downstream: no
> for-upstream: yes
> primary: 172.27.5.3
> zonefile: /var/lib/unbound/example.com.zone
>
> stub-zone:
> name: "example.com"
> stub-address: 172.27.5.3
Well. This - setting of for-downstream to "no" - effectively makes auth-zone
statement completely useless. Unbound has the zone but does not use it to
answer the queries. It is exactly the same as having no "auth-zone" at all,
and just use stub-address directly. And in turn, it means stub-address must
be reachable when this zone is queried - for any name, not just for this particular
record.
> Hope this helps.
No, unfortunately it does not :)
Thanks,
/mjt
More information about the Unbound-users
mailing list