unbound as a proxy of authoritative server
François Lafont
francois.lafont.1978 at gmail.com
Sun Sep 21 21:44:07 UTC 2025
Hi,
I can explain my use case. We have a domain
"domain.tld" with 2 public authoritative servers.
In this zone, there is a declaration of a
delegation to the zone "in.domain.tld" like this:
------------------------------
# Records in the zone "domain.tld".
type=NS name=in.domain.tld. => ns1.in.domain.tld
type=NS name=in.domain.tld. => ns2.in.domain.tld
# And glue records.
type=A name=ns1.in.domain.tld => 172.31.100.1
type=A name=ns2.in.domain.tld => 172.31.100.2
------------------------------
The "in" zone contains only hosts with RFC1918
IP addresses. Even the NS of this zone. It's
not a problem, this zone in only for private
usage in private network. So no problem if
there is no DNS resolution of our "in" zone
for the rest of the world, right?
But now, the problem: there is Certificate
Authority (CA) and the RFC8659 which tells that
to deliver a certificate for www.in.domain.tld
the CA must attempt these DNS requests (in
this order):
1. type=CAA name=www.in.domain.tld <= timeout for CA
2. type=CAA name=in.domain.tld <= timeout for CA
3. type=CAA name=domain.tld <= OK
And according to the RFC, timeout is not OK. A
response is required, even empty or NXDOMAIN are
OK, but not timeout. So, currently to certificate
for us in the "in" zone.
My idea was to change the "in" delegation and
declare the "in" NS with public IP addresses.
And then install unbound as "in" NS server with
2 views:
1. One "default" view where unbound is like a
proxy of the real authoritative "in" NS
servers. (this is my question on this post)
2. one "fake4ca" view with a local-zone for
"in.domain.tld." with the type "static" and
with almost no records in the zone (because
even an empty response is OK for CA). This
view will be enabled only for the CA which
belongs to the CIDR W.X.Y.Z/24.
But I have the feeling that unbound is not the
good program to do that, am I wrong?
Clearly, the point 2. is very easy but the
point 1. seems to me not possible with unbound.
But this the object of my post.
Thanks.
--
François Lafont
More information about the Unbound-users
mailing list