unbound as a proxy of authoritative server

[Yorgos Thessalonikefs]

Hi François,

We actually do have something like that in mind (point 1) and on our 
immediate roadmap.
Are you interested in testing out a development version of that?
(The caveat is that until the functionality is merged, configuration 
options and behaviour is bound to change)

If so I can see if I can have something public soon-ish.

Best regards,
-- Yorgos

On 21/09/2025 23:44, François Lafont via Unbound-users wrote:
> Hi,
> 
> I can explain my use case. We have a domain
> "domain.tld" with 2 public authoritative servers.
> In this zone, there is a declaration of a
> delegation to the zone "in.domain.tld" like this:
> 
> ------------------------------
> # Records in the zone "domain.tld".
> 
> type=NS name=in.domain.tld. => ns1.in.domain.tld
> type=NS name=in.domain.tld. => ns2.in.domain.tld
> 
> # And glue records.
> type=A name=ns1.in.domain.tld => 172.31.100.1
> type=A name=ns2.in.domain.tld => 172.31.100.2
> ------------------------------
> 
> The "in" zone contains only hosts with RFC1918
> IP addresses. Even the NS of this zone. It's
> not a problem, this zone in only for private
> usage in private network. So no problem if
> there is no DNS resolution of our "in" zone
> for the rest of the world, right?
> 
> But now, the problem: there is Certificate
> Authority (CA) and the RFC8659 which tells that
> to deliver a certificate for www.in.domain.tld
> the CA must attempt these DNS requests (in
> this order):
> 
> 1. type=CAA name=www.in.domain.tld <= timeout for CA
> 2. type=CAA name=in.domain.tld     <= timeout for CA
> 3. type=CAA name=domain.tld        <= OK
> 
> And according to the RFC, timeout is not OK. A
> response is required, even empty or NXDOMAIN are
> OK, but not timeout. So, currently to certificate
> for us in the "in" zone.
> 
> My idea was to change the "in" delegation and
> declare the "in" NS with public IP addresses.
> And then install unbound as "in" NS server with
> 2 views:
> 
> 1. One "default" view where unbound is like a
>     proxy of the real authoritative "in" NS
>     servers. (this is my question on this post)
> 2. one "fake4ca" view with a local-zone for
>     "in.domain.tld." with the type "static" and
>     with almost no records in the zone (because
>     even an empty response is OK for CA). This
>     view will be enabled only for the CA which
>     belongs to the CIDR W.X.Y.Z/24.
> 
> But I have the feeling that unbound is not the
> good program to do that, am I wrong?
> 
> Clearly, the point 2. is very easy but the
> point 1. seems to me not possible with unbound.
> But this the object of my post.
> 
> Thanks.
>