Unbound Partial Authority of Zone

Unbound
1

Hello unbound-users,

I am tackling with a problem where I want Unbound to be an authoritative nameserver for a zone, but only for specific records.

There is a public domain registered by somebody on the Internet. Let’s say “example.com”.

I need my Unbound server to be partially authoritative for the zone “example.com” for my internal client servers.

I want Unbound to serve the following records to my internal client servers whenever they ask for them.

Whenever a query arrives for a different record (Let’s say “www.example.com”) then I want Unbound to do the normal DNS recursive resolving process on the Internet.

I want to do this via the auth-zone section in Unbound because I already have the “example.com” zone on an NSD Authoritative DNS server. I successfully perform a zone transfer between Unbound and NSD for this particular zone and Unbound has those 3 records and provides answers for them. However, whenever I try to query it for “www.example.com” it doesn’t want to do the normal DNS recursive resolving process on the Internet and doesn’t return an answer.

auth-zone:
name: example.com
master: <<My_Master>>
allow-notify: <<My_Master>>
fallback-enabled: yes
for-downstream: no
for-upstream: yes

I tried all combinations of (fallback-enabled,for-downstream,for-upstream) and none of them work.

Any ideas ?

OS: CentOS 7.6

Unbound version: 1.9.0

2

Hi Freya,

Hello unbound-users,

I am tackling with a problem where I want Unbound to be an authoritative
nameserver for a zone, but only for specific records.

There is a public domain registered by somebody on the Internet. Let's
say "example.com".

I need my Unbound server to be partially authoritative for the zone
"example.com" for my internal client servers.

I want Unbound to serve the following records to my internal client
servers whenever they ask for them.

This task is not for the auth-zone feature, that serves entire zones
authoritatively, or caches them for local look up. The local-zone
feature does what you want. You can register a list of names, and
records, and those are applied to answers, but not certain other answers.

Declare local-zone entries for the pieces you want covered. There is a
lot of choice here, depending on what you want the processing to do.
The transparent zone mixes per name, the names you give local-data for
get answers from local-data, the others from the upstream look ups.
There is also a local-zone type for per-RR-type mix, and other options,
like logging.

You can nest local-zones, eg. if you want nxdomains for a set of names,
declare a local-zone static for that. It looks up the closest localzone
and uses the type of that.

Then list the data as local-data statements. Just copy the records in
local-data quotes. If the records in the zonefile are relative (eg. not
the full names), make them full names, for example by filtering the file
with ldns-read-zone (and maybe also sort and canonicalize it, but it
them has full names). And then put it line by line into local-data
statemenets. And have a local-zone entry for the zone, type transparent
is I think the one you want. Unless you want nxdomains, or denials or
non-denials but upstream lookups of specific names and records.

It is possible to put the result into a file and then include:
"filename" that file into the unbound.conf just to make it easier to
update, or script.

Best regards, Wouter

3

Hi Wouter,

Thank you for taking the time to reply to my question.

In my opinion, it would’ve been nice if Unbound was able to acquire local-data statements automatically via zone transfers.
This way, administrators wouldn’t need to generate and maintain a file specifically for Unbound and reload Unbound each time a new local-data entry was added to the file.
local-data entries seem to be identical in syntax to record entries in zone files.

Kind regards