intercept RR during recursion (v2, typos fixed)

Simon_IJskes · November 11, 2022, 9:56am

I've observed the following (in 1.13.1-1ubuntu5.2):

dns:

host1.dom.nl. CNAME host2.sub.dom.nl.
sub.dom.nl. NS ns.dom.nl.

ns.dom.nl:

host2.sub.dom.nl. A 1.2.3.4

config:

local-zone: "sub.dom.nl." transparent
local-data: "host2.sub.dom.nl. A 8.9.10.11"

when i query host1.dom.nl with dig i get:

;; ANSWER SECTION:
host1.dom.nl. CNAME host2.sub.dom.nl.
host2.sub.dom.nl. A 1.2.3.4

what i would have expected:

;; ANSWER SECTION:
host1.dom.nl. CNAME host2.sub.dom.nl.
host2.sub.dom.nl. A 8.9.10.11

It looks like the local-data 'intercept' only occurs on the query, and not in the recursion stage.

Is this as designed? a bug? fixed already?

Thanks,

Simon

George_Yorgos_Thessa · November 11, 2022, 11:44am

Hi Simon,

This is as designed. Local data is used before any recursion.
What you want to do can be achieved by either a stub-zone (https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#stub-zone-options; redirecting to a nameserver with data for sub.dom.nl.) or an auth-zone (https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#authority-zone-options; Unbound will itself serve the zone) clause.

The auth-zone can be configured for both downstream (replying before recursion) and upstream (using auth data in the recursion stage) with 'for-downstream:' and 'for-upstream:' respectively.

Best regards,
-- Yorgos