Query forwarding

Unbound
1

Hi,

I'm trying to figure out how unbound can be configured to behave
with respect to query forwarding. In unbound.conf(5) I find this
particular gem:

    forward-first: <yes or no>
           If enabled, a query is attempted without the forward clause if
           it fails. The data could not be retrieved and would have caused
           SERVFAIL because the servers are unreachable, instead it is
           tried without this clause. The default is no.

I don't mean to be too harsh, but ... can someone please
disambiguate this for me? In the first sentence it's far from clear
what "if it fails" means (unbound fails to find a cached answer?),
and also slightly unclear what "the forward clause" means. In the
second it's unclear what "the servers" means (forwarding servers or
delegated-to name servers). Thirdly, it strikes me that the sense
of the first sentence is probably the opposite of what's intended,
at least from an intuitive interpretation of the option name --
"forward first = yes" indicates "use the configured forwarding
server(s) first before trying to do own recursion"(?).

Once I understand what this does, I can hopefully come up with a
suggestion for replacement text which isn't so rife with traps for
misinterpretation...

Regards,

- Håvard

2

Oddly this was perfectly clear to me when I first read it, but on each subsequent re-read, I find myself re-parsing the words and second-guessing :slight_smile: With forward-first: no, Unbound will forward a query as configured for this zone, and if it ultimately reaches SERVFAIL state, that’s what it returns to the client. With forward-first: yes, Unbound will forward a query and if it ultimately reaches SERVFAIL state, it will fall back on resolving via the default method as though there were no forwarding clause at all. However, only SERVFAIL will cause default resolution methods to be used, a NXDOMAIN or other no answer situations will be returned without further lookups. This can be useful if you wanted to, for example, forward a particular zone within a VPN if the VPN is up, but you still want to resolve via normal resolution (recursion, forwarding, whatever) if the VPN based authoritative servers are not available.

3

Longer explanation can be found on
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html

Please let me know if the text helps or is unclear, we would be happy to
improve it!

4

Hi,

picking up on this two-year-old message, trying to improve the
documentation of "foward-first":

    forward-first: <yes or no>
           If enabled, a query is attempted without the forward clause if
           it fails. The data could not be retrieved and would have caused
           SERVFAIL because the servers are unreachable, instead it is
           tried without this clause. The default is no.

It seems this hasn't changed or improved since. Based on the replies,
let me suggest a replacement:

forward-first: <yes or no>
  If a forwarded query is met with a SERVFAIL error, and this option
  is enabled, unbound will fall back to normal recursive resolution
  for this query as if no query forwarding had been specified. The
  default is "no".

Ref. https://github.com/NLnetLabs/unbound/pull/12

Regards,

- Håvard

5

Hi Havard,

Hi,

picking up on this two-year-old message, trying to improve the
documentation of "foward-first":

    forward-first: <yes or no>
           If enabled, a query is attempted without the forward clause if
           it fails. The data could not be retrieved and would have caused
           SERVFAIL because the servers are unreachable, instead it is
           tried without this clause. The default is no.

It seems this hasn't changed or improved since. Based on the replies,
let me suggest a replacement:

Thanks, fixed documentation as suggested.

Best regards, Wouter