I'm using unbound for my local home network. Problem is in that I'm
using virtual servers for various tasks on my server, so I have big
enough zones to think about reducing mantaince work.
Currently i'm using two NSDs - one for 'public' zone data, which
contains all AAAA and public A records, and one for 'private' zone data,
that is - for ips like 192.168.*. (Yes, I'm trying to do so-called
'split-horizon')
Problem is, that for every new record, even SRV or CNAME, I'm forced to
add them to both servers and, what is much worse, I'm forced to
dublicate all AAAA records, as unbound queries only one server specified
for stub-zone and returns what it returns =).
So, here comes my question - is it somehow possible to make unbound
query all specified nameservers in specified order, accumulating result,
but keeping first positive answer, if another is given (maybe through
some additional script or module)? Or, maybe, there could be
'transparent' stub-zone, like local-zones (same idea) (that seems to how
dnsmasq operates)?
I've also tried to 'compile' nsd zone into unbound syntax. That is:
i've done something like that:
local-zone: "example.com." transparent
local-data: "computer.example.com. IN A 192.168.2.4"
That works as with stub-zone, i.e:
if computer.example.com has also AAAA record on upstream server - it
will not be fetched.
If there is following record on upstream server:
computer2.example.com IN CNAME computer.example.com.
computer IN A 12.13.14.15
Resolved ip for computer2.example.com will be 12.13.14.15, not
192.168.2.4. And that's strange - as shown by logs, unbound drops ...
IN A reply from upstream server when it get CNAME and then running
query again for CNAME value, but without checking for local zones.
If local zones are done for replacing some records (not all - stub
zone will replace full zone) with local - second issue is strange.
If local zones are done for adding some local record - first issue is strange.
You could use $INCLUDE in the zonefile for the two NSD's to read the
common data from the same file. Then you only have to edit one file.
If you want to get fancier than that, m4 is very powerful.
The feature for unbound sounds like bloat (above workaround easier). If
you really, really want it you could use the python module for unbound
to code this behaviour (for a specific subdomain). If you do, perhaps
we should start to accumulate nice python bits in contrib...