Maintained by: NLnet Labs

[Unbound-users] Can't get CNAME entries to resolve

W.C.A. Wijngaards
Tue Mar 3 09:13:26 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi M:D,

What you are running into is the fact that Unbound is not designed to be
a full-featured *authoritative* DNS server.  It is a full featured
*recursive* DNS server.

Thus, Unbound can perform CNAME resolution as a recursive server very
well.  But publishing CNAME records - what you are doing below - as an
authoritative server is not its forte.

The authoritative features present in unbound have been purposefully
left minimal; enough to block a site.  Very simple.

How to make the stub thing work.
The idea is to use another server to be the authoritative server.  Such
as NSD (the authoritative server made by NLnet Labs which has similar
high performance).  You run NSD on port: 10053 with the example.net
zone.  NSD is a good authoritative server for CNAME, DNSSEC, NSEC3, ...

Then you provide unbound with a stub zone
stub-zone:
	name: "example.net"
	stub-addr: 127.0.0.1 at 10053

You can also run the NSD server on a different computer, of course.

Best regards,
   Wouter

M. David Peterson wrote:
> Hello,
> 
> I've been playing around with Unbound and thus far have been /very/
> impressed with its performance.  In fact, the only thing currently
> preventing me switching our primary and secondary DNS from BIND to
> Unbound is the fact that I can't seem to figure out how to get CNAME
> resolution to work properly.  The documentation makes reference to using
> a stub-zone to gain CNAME support, but it's not obvious what that means
> exactly. I've played around with different stub-zone configurations but
> as of yet haven't found that seems to work correctly.
> 
> The only example I've found that highlights a CNAME entry as part of the
> Unbound config file is located at
>> http://www.howtoforge.com/installing-using-unbound-nameserver-on-debian-etch <
> Unfortunately the provided example -- a sample of which is provided
> inline below -- doesn't work.  Can someone steer me in the right
> direction as far as how to go about referencing both an internal and
> external CNAME alias which Unbound will then resolve when requests for
> the configured sub-domain are made?
> 
> Thanks in advance for your help!
> 
> local-zone: "example.net <http://example.net>." static
>         local-data: "example.net <http://example.net>. 86400 IN NS
> ns1.hostingcompany.com <http://ns1.hostingcompany.com>."
>         local-data: "example.net <http://example.net>. 86400 IN NS
> ns2.hostingcompany.com <http://ns2.hostingcompany.com>."
>         local-data: "example.net <http://example.net>. 86400 IN SOA
> ns1.hostingcompany.com <http://ns1.hostingcompany.com>.
> hostmaster.hostingcompany.com <http://hostmaster.hostingcompany.com>.
> 2008052201 28800 7200 604800 86400"
>         local-data: "example.net <http://example.net>. 86400 IN A 1.2.3.4"
>         local-data: "www.example.net <http://www.example.net>. 86400 IN
> CNAME example.net <http://example.net>."
>         local-data: "mail.example.net <http://mail.example.net>. 86400
> IN A 1.2.3.4"
>         local-data: "example.net <http://example.net>. 86400 IN MX 10
> mail.example.net <http://mail.example.net>."
>         local-data: "example.net <http://example.net>. 86400 IN TXT
> v=spf1 a mx ~all"
> 
> -- 
> /M:D
> 
> M. David Peterson
> Co-Founder & Chief Architect, 3rd&Urban, LLC
> Email: m.david at 3rdandUrban.com | m.david at amp.fm <mailto:m.david at amp.fm>
> Mobile: (206) 999-0588
> http://3rdandUrban.com | http://amp.fm |
> http://www.oreillynet.com/pub/au/2354 |
> http://broadcast.oreilly.com/m-david-peterson/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkms5qYACgkQkDLqNwOhpPhAQwCglTtby6lc7snHP409RG4RJyVZ
1TcAoIb9xJeQKxsDi3KpCCEzDuLetg/H
=jttF
-----END PGP SIGNATURE-----