can unbound do conditional forwarders? (and bypass DNSSEC checking for THOSE queries)

Rob McEwen rob at invaluement.com
Mon Mar 27 15:45:57 UTC 2023


I'm new to this list - my apologies if this is already answered.

Is there a way to do conditional forwarders in unbound? ...and bypass 
DNSSEC checking for THOSE queries?

So to be clear, what I mean is being able to tell unbound to get answers 
for a particular zone from a particular IP address, bypassing the 
regular DNS system, but also not changing how other 
zones/hostnames/domains are handled at all. (which is why this is called 
a "conditional" forwarder - it only forwards under a certain 
"condition")

Here's an example of how this is done in BIND:

zone "this.example.com" IN {
         type forward;
         forward only;
         forwarders { 127.0.0.2; };
};

So the scenario I need this for - is in those situations where one of my 
clients uses an RSYNC feed of the invaluement DNSBL, sets that up in a 
locally-hosted rbldnsd instance, then they want their unbound to gets 
answers ONLY for items that end with a particular hostname - directly 
from the local or LAN ip that the rbldnsd instance is listening on, but 
keeping all other queries in unbound the same as before.

Also - for some years - conditional forwarding to rbldnsd was broken in 
latest-versions of BIND because there wasn't a way to do this in BIND 
without also doing DNSSEC checking (unless DNSSEC was completely turned 
off!) - and rbldnsd doesn't do DNSSEC (or at least not without some 
extra effort?) - so then starting with BIND 9.13.3, BIND added their 
"validate-except" option where DNSSEC checking can be turned off for 
particular zones, thus enabling the conditional forwarding to rbldnsd to 
work again, yet without having to turn DNSSEC completely off. (that zone 
just had to be specified in the "validate-except" option)

So if unbound has a similar issue with DNSSEC being enforced on queries 
forwarded to rbldnsd, is there a similar solution? Or, in unbound, is 
DNSSEC compatibility when forwarding queries to rbldnsd not a problem in 
the first place?

Thanks for your help with this!

Rob McEwen, invaluement




More information about the Unbound-users mailing list