Forward zones and recusion

Jaap_Winius · June 6, 2019, 2:54pm

Hi folks,

Apparently, if a forward zone is added to Unbound, the servers defined in that statement must support recursion to other name servers, although I assume that's only the case if the zone includes glue records.

Originally, my idea was to follow best practices and disable recursion on our (internal) authoritative name servers, while keeping the number of forward zones in the Unbound configuration to a minimum, hoping that Unbound would follow the glue records to the correct name servers and resolve all of the client queries anyway. But, now it looks like that boat was never going to sail. Strange, because Unbound does does do this kind of recursion for names out on the Internet.

Can anyone explain why Unbound has this limitation? Is it the same for BIND?

Thanks,

Jaap

Patrik_Lundin1 · June 6, 2019, 9:48pm

Are you sure forward-zone is what you want? It sounds to me like
stub-zone is more fitting for your needs.

Tony_Finch · June 7, 2019, 11:29am

Yes, in BIND a forward server must be a recursive server. If you want to
configure specific addresses for a zone's authoritative servers in BIND
you need a static-stub zone configuration, which is like Unbound's stub
zone configuration. (BIND's stub zone configuration is weird and not
usually what you want.)

See also the forwarding-related definitions in RFC 8499 "DNS terminology".

Tony.

Jaap_Winius · June 7, 2019, 2:09pm

Quoting Patrik Lundin <patrik@sigterm.se>:

Are you sure forward-zone is what you want? It sounds to me like
stub-zone is more fitting for your needs.

Yes, that was it! You've made a number of people happy.

Thank you very much,

Jaap Winius