Hi,
Is it possible with unbound to use it as a proxy
of authoritative server? For instance, if I try
a configuration like that (which doesn't work):
I've got a similar situation where I have a "proper" server (BIND 9) exposed to the Internet with a fleet of telemetry servers under a private / non-ICANN TLD behind it. As far as the Internet is concerned, this server is authoritative for the private domain.
Technically the server needs to recurse to obtain answers, so on the "happy path" non-recursive queries do not work. (The lack of an "aa" flag is more of a cosmetic concern.) There are some other issues as well, and there are ways around most of them.
There's also a lot of FUD around servers dropping queries rather than answering REFUSED. (Yet the BIND RPZ implementation provides Drop and NXDOMAIN policies, but not REFUSED.)
There's a lot of trampled ground, but not a lot of clear "pathways of desire".
Exactly how widespread this kind of usage is is unclear. (Spamhaus and virus signature services are other examples although the popularity they enjoy is probably not reflected in most such services.)
Hi,
I can explain my use case. We have a domain
"domain.tld" with 2 public authoritative servers.
In this zone, there is a declaration of a
delegation to the zone "in.domain.tld" like this:
Hi François,
We actually do have something like that in mind (point 1) and on our immediate roadmap.
Are you interested in testing out a development version of that?
(The caveat is that until the functionality is merged, configuration options and behaviour is bound to change)
If so I can see if I can have something public soon-ish.
Best regards,
-- Yorgos
Hi,
I’m really keen on this feature too as a way to resolve using the zone apex pointing to a CNAME. I know this is not RFC compliant but many DNS providers support it today and I have multiple use cases for it with existing clients.