can unbound do conditional forwarders? (and bypass DNSSEC checking for THOSE queries)
Rob McEwen
rob at invaluement.com
Mon Mar 27 15:45:57 UTC 2023
I'm new to this list - my apologies if this is already answered.
Is there a way to do conditional forwarders in unbound? ...and bypass
DNSSEC checking for THOSE queries?
So to be clear, what I mean is being able to tell unbound to get answers
for a particular zone from a particular IP address, bypassing the
regular DNS system, but also not changing how other
zones/hostnames/domains are handled at all. (which is why this is called
a "conditional" forwarder - it only forwards under a certain
"condition")
Here's an example of how this is done in BIND:
zone "this.example.com" IN {
type forward;
forward only;
forwarders { 127.0.0.2; };
};
So the scenario I need this for - is in those situations where one of my
clients uses an RSYNC feed of the invaluement DNSBL, sets that up in a
locally-hosted rbldnsd instance, then they want their unbound to gets
answers ONLY for items that end with a particular hostname - directly
from the local or LAN ip that the rbldnsd instance is listening on, but
keeping all other queries in unbound the same as before.
Also - for some years - conditional forwarding to rbldnsd was broken in
latest-versions of BIND because there wasn't a way to do this in BIND
without also doing DNSSEC checking (unless DNSSEC was completely turned
off!) - and rbldnsd doesn't do DNSSEC (or at least not without some
extra effort?) - so then starting with BIND 9.13.3, BIND added their
"validate-except" option where DNSSEC checking can be turned off for
particular zones, thus enabling the conditional forwarding to rbldnsd to
work again, yet without having to turn DNSSEC completely off. (that zone
just had to be specified in the "validate-except" option)
So if unbound has a similar issue with DNSSEC being enforced on queries
forwarded to rbldnsd, is there a similar solution? Or, in unbound, is
DNSSEC compatibility when forwarding queries to rbldnsd not a problem in
the first place?
Thanks for your help with this!
Rob McEwen, invaluement
More information about the Unbound-users
mailing list