can unbound do conditional forwarders? (and bypass DNSSEC checking for THOSE queries)

Rob McEwen rob at invaluement.com
Mon Mar 27 16:18:39 UTC 2023 

Thanks Steven. So, for my example scenario, I think this is the answer 
is the following? (please correct anything that's wrong or omitted)

(1) PUT THIS INTO THE "forward.conf" FILE:

stub-zone:
   name: "this.example.com"
   stub-addr: 127.0.0.2

(2) PUT THIS INTO THE "unbound.conf" file:

server:
     domain-insecure: "this.example.com"

And then restart the unbound service?

Then queries to anything.this.example.com would get their answers from 
127.0.0.2, and DNSSEC wouldn't be checked for those - and all other 
queries would operate normally, without any of this applying to queries 
that don't end in this.example.com

Is that correct? If I did anything that's incorrect, or if I missed a 
step - please let me know. (Also, as my original post mentioned, it's 
important that this forwarder NOT apply to other zones!)

Rob McEwen, invaluement



------ Original Message ------
>From "Steven Wills" <steven at wills.me>
To rob at invaluement.com
Date 3/27/2023 11:58:16 AM
Subject Re: can unbound do conditional forwarders? (and bypass DNSSEC 
checking for THOSE queries)

>Hello,
>
>This may help.
>
>https://serverfault.com/questions/1013205/unbound-doesnt-accept-answer-from-non-dnssec-forward-rule
>
>There are plenty of guides to send Unblund as a forwarder. I like this 
>one.
>
>https://www.redhat.com/sysadmin/forwarding-dns-2
>
>Best regards,
>Steven
>
>
>
>-------- Original Message --------
>On Mar 27, 2023, 10:45, Rob McEwen via Unbound-users < 
>unbound-users at lists.nlnetlabs.nl> wrote:
>>
>>I'm new to this list - my apologies if this is already answered. Is 
>>there a way to do conditional forwarders in unbound? ...and bypass 
>>DNSSEC checking for THOSE queries? So to be clear, what I mean is 
>>being able to tell unbound to get answers for a particular zone from a 
>>particular IP address, bypassing the regular DNS system, but also not 
>>changing how other zones/hostnames/domains are handled at all. (which 
>>is why this is called a "conditional" forwarder - it only forwards 
>>under a certain "condition") Here's an example of how this is done in 
>>BIND:
>>
>>zone "this.example.com" IN { type forward; forward only; forwarders { 
>>127.0.0.2; }; };
>>
>>So the scenario I need this for - is in those situations where one of 
>>my clients uses an RSYNC feed of the invaluement DNSBL, sets that up 
>>in a locally-hosted rbldnsd instance, then they want their unbound to 
>>gets answers ONLY for items that end with a particular hostname - 
>>directly from the local or LAN ip that the rbldnsd instance is 
>>listening on, but keeping all other queries in unbound the same as 
>>before. Also - for some years - conditional forwarding to rbldnsd was 
>>broken in latest-versions of BIND because there wasn't a way to do 
>>this in BIND without also doing DNSSEC checking (unless DNSSEC was 
>>completely turned off!) - and rbldnsd doesn't do DNSSEC (or at least 
>>not without some extra effort?) - so then starting with BIND 9.13.3, 
>>BIND added their "validate-except" option where DNSSEC checking can be 
>>turned off for particular zones, thus enabling the conditional 
>>forwarding to rbldnsd to work again, yet without having to turn DNSSEC 
>>completely off. (that zone just had to be specified in the 
>>"validate-except" option) So if unbound has a similar issue with 
>>DNSSEC being enforced on queries forwarded to rbldnsd, is there a 
>>similar solution? Or, in unbound, is DNSSEC compatibility when 
>>forwarding queries to rbldnsd not a problem in the first place? Thanks 
>>for your help with this!
>>--Rob McEwen, invaluement
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230327/260397c6/attachment.htm>

More information about the Unbound-users mailing list