How to use multiple root-hints files to recursively resolve different zones?

Unbound
1

I have unbound set up to do recursive domain name resolution using the internic.net root-hints file, but I would also like to be able to recursively resolve OpenNIC domain names using the hints for OpenNIC. I'm using the config below, and whenever I try to lookup opennic.glue, it just tries the regular nameservers rather than the ones specified in the "glue" auth-zone root-hints file (and fails, of course). What am I doing wrong? Is auth-zone even the right approach?

server:
interface: 127.0.0.1
interface: ::1
chroot: ""
use-syslog: yes
do-daemonize: no
username: "unbound"
directory: "/etc/unbound"
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
root-hints: root.hints
trust-anchor-file: trusted-key.key
log-servfail: yes

auth-zone:
name: "glue"
#master: 75.127.96.89
zonefile: "/etc/unbound/opennic.hints"
for-downstream: no
for-upstream:yes
fallback-enabled: yes

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"

2

Hi Danny,

I am not accustomed with opennic's alternate root and their inner
workings but I can point out some things.

auth-zone is indeed the wrong place to put root hints.

You can follow these instructions from the opennic wiki
(https://wiki.opennic.org/tier_2_unbound) mainly the part about the
`root-hints:` option and how to get the file content.

You will also need to add the opennic trust anchor in your
`trust-anchor-file:` file in order to resolve their DNSSEC signed
domains (https://wiki.opennic.org/opennic/dnssec).

With these you should be up and running.

However please note that by doing that you trust an additional root key
and may face domain name collisions if the same tlds are registered by
both opennic and ICANN (internic). I *suppose* that in that case the
opennic tld will take precedence.

Hope that helps.

-- George