Maintained by: NLnet Labs

[Unbound-users] forward zone vs stub

Johan Ihrén
Tue Oct 23 12:47:36 CEST 2012

Hi again,

On Oct 23, 2012, at 12:17 , Kapetanakis Giannis wrote:

> On 23/10/12 12:56, Johan Ihrén wrote:
>> I think you need to be significantly more specific in what you're doing here.
>> You have an external version of "", presumably with nameservers on the public Internet.
>> You also have an internal version of "", presumably with nameservers on the inside, specifically
>> Which zone file is it that contains "external authoritative DNS servers as well"?
>> And if you're using views (apart from the "God help you"-part), then you need to explain that, including your matching rules and what it is that you're trying to achieve.
>> Regards,
>> Johan (firm believer in "DNS should be kept simple")
> You're right about the views. The views are on BIND (authoritative) and have different data for external clients.
> What I really want is my internal users to use unbound servers with the following options:
> a) unbound should forward all requests for local zones (*, 123.123.x.x, 10.x.x.x) to local authoritative servers (BIND)

Yes, I get that. However, I'd strongly advise that you don't call that to "forward". "Forwarding" is something you implement with "forward-zone:", which is distinctly different from what you do with a "stub-zone:". Forwarding by definition is one recursive server forwarding a query to another recursive server. That's not what's happening when you're using stub-zone:, which is basically pre-loading the cache with static entries for the nameservers of a particular zone.

> b) the local zones should not be cached on the unbound because I want the updates to be automatically propagated.

This is yet another requirement. However, let's ignore that for the moment, as that's orthogonal to the issue of your stubs.

> In another similar setup (but with bind only) the the caching server is also secondary for each zone, but is not listed in the NS records.

Yeah, I know that's a popular party trick, but let's not go there as this is the Unbound-list.

However, you never answered my question: Which zone file is it that contains "external authoritative DNS servers as well"?