can unbound do conditional forwarders? (and bypass DNSSEC checking for THOSE queries)

Petr Menšík pemensik at
Thu Mar 30 19:01:43 UTC 2023

It sort of seems this should be only done on runtime, because the source 
of those DNSBL is not under your control.

I would use:

unbound-control forward_add +i

This does redirection of selected name into local daemon. Disabling also 
dnssec validation (+i) on that name. You would need some script pushing 
those rules into unbound after it started, because it would forget them 
on restart. If you have list of affected domains, it may save you 
generating config file snippet for unbound. That is actually amazing 
advantage of unbound. It can do quite a lot things runtime from 
unbound-control. In config you would have to generate insecure zone and 
forward definition separately AFAIK.

On 3/27/23 17:45, Rob McEwen via Unbound-users wrote:
> I'm new to this list - my apologies if this is already answered.
> Is there a way to do conditional forwarders in unbound? ...and bypass 
> DNSSEC checking for THOSE queries?
> So to be clear, what I mean is being able to tell unbound to get 
> answers for a particular zone from a particular IP address, bypassing 
> the regular DNS system, but also not changing how other 
> zones/hostnames/domains are handled at all. (which is why this is 
> called a "conditional" forwarder - it only forwards under a certain 
> "condition")
> Here's an example of how this is done in BIND:
> zone "" IN {
>         type forward;
>         forward only;
>         forwarders {; };
> };
> So the scenario I need this for - is in those situations where one of 
> my clients uses an RSYNC feed of the invaluement DNSBL, sets that up 
> in a locally-hosted rbldnsd instance, then they want their unbound to 
> gets answers ONLY for items that end with a particular hostname - 
> directly from the local or LAN ip that the rbldnsd instance is 
> listening on, but keeping all other queries in unbound the same as 
> before.
> Also - for some years - conditional forwarding to rbldnsd was broken 
> in latest-versions of BIND because there wasn't a way to do this in 
> BIND without also doing DNSSEC checking (unless DNSSEC was completely 
> turned off!) - and rbldnsd doesn't do DNSSEC (or at least not without 
> some extra effort?) - so then starting with BIND 9.13.3, BIND added 
> their "validate-except" option where DNSSEC checking can be turned off 
> for particular zones, thus enabling the conditional forwarding to 
> rbldnsd to work again, yet without having to turn DNSSEC completely 
> off. (that zone just had to be specified in the "validate-except" option)
> So if unbound has a similar issue with DNSSEC being enforced on 
> queries forwarded to rbldnsd, is there a similar solution? Or, in 
> unbound, is DNSSEC compatibility when forwarding queries to rbldnsd 
> not a problem in the first place?
> Thanks for your help with this!
> Rob McEwen, invaluement
Petr Menšík
Software Engineer, RHEL
Red Hat,
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list