Does unbound *ever* work with CNAMEs in any local data?

Michael Tokarev mjt at tls.msk.ru
Mon May 29 07:32:01 UTC 2023


Hi!

This is ridiculous really.

Unbound is great recursive nameserver with various local data support, including
auth zone.  But it looks like CNAMEs does not work anywhere in this config, ever:
unbound does not expand CNAMEs seen in local configuration.

It does not look like this is by design.

I already asked this a few times before, in different forms.
Last time I've got answer to this, was about auth zone, and the suggestion
was to use for-downstream:no. And it *appeared* to work, but it is a false
sense of "working" - with this setting, unbound effectively *ignores* whole
auth zone for queries, and resorts to regular recursive resolving from the
root nameservers.  But auth zone is here to have various local zones handy
even before the network is up, or to have completely local/internal zones
which are not visible on the 'net. Obviously this doesn't work.

Why unbound can't expand CNAMEs within local-data or auth-zones or in a few
similar places? Internally, it can use those zone/data types just like
another cache when answering queries, - this way it should be able to
expand everything.

Just from logic, it smells like expanding CNAMEs within locally-configured
data is even *easier* than to do it recursively.  And other, simpler name
servers does that.

So far, we have to either compliment unbound with nsd *every* time we're
to have any local data which needs to be there, even if that's only a
few records (it's just too easy to forgot about this unbound bug of not
expanding CNAMEs), or to drop unbound and use named instead (which is
horrible due to other reasons).

Can't this issue be fixed?

Thank you!

/mjt


More information about the Unbound-users mailing list