'Re: Always Respond to NS record requests....'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       unbound-users
Subject:    Re: Always Respond to NS record requests....
From:       "Amir A. via Unbound-users" <unbound-users () lists ! nlnetlabs ! nl>
Date:       2020-03-23 20:01:52
Message-ID: DM6PR04MB62182C594D5BF3D48839C840C1F00 () DM6PR04MB6218 ! namprd04 ! prod ! outlook ! com
[Download RAW message or body]

Unfortunately, I can't touch the client.

I was looking for a more regexish solution but it seems I can't use wildcards or \
anything like:

> local-zone: .com typetransparent
> local-data: "*.com ns 8.8.8.8"

I saw some reference to using stub zones if I wanted regex or wildcards but I'm not \
sure I can do something like the override with a stub zone. If i even manage to \
create false NS entries via the stub zone then the actual lookups for that domain \
will be forwarded to that false (and probably incorrect NS)

Guess, I am stuck with some sort of automation to deploy all the local data overrides \
i need... ________________________________
From: Paul Vixie <paul@redbarn.org>
Sent: Monday, March 23, 2020 3:52 PM
To: unbound-users@lists.nlnetlabs.nl <unbound-users@lists.nlnetlabs.nl>
Cc: Amir A. <thesubmitter@hotmail.com>
Subject: Re: Always Respond to NS record requests....

On Monday, 23 March 2020 13:53:03 UTC Amir A. via Unbound-users wrote:
> Hi,
> 
> For our purposes we need a DNS server to always respond to  NS record
> requests. The problem is subdomains seem not to have NS records created for
> them even if the root domain as an NS record created.
> 
> Ideally
> 
> 1.  When a client asking for the NS record of a subdomain if it doesn't
> exist I want unbound to return the NS record of the APEX domain
> 
> 2.  If that doesn't work then at least return a static entry for any NS
> record request of ANY domain or subdomain

you seem to be asking for a protocol change. finding the closest enclosing NS
RRset is not something the local server can do without searching, and right
now the protocol expects that the client who needs that data will drive that
searching. one way to perform that searching is res_findzonecut():

http://cvsweb.netbsd.org/bsdweb.cgi/src/external/bsd/libbind/dist/resolv/
res_findzonecut.c?rev=1.1.1.1.14.1&content-type=text/x-cvsweb-markup

> The solution I have right now is:
> 
> local-zone: domain.com typetransparent
> local-data: "app.domain.com ns 8.8.8.8"
> 
> but that would require me to add an entry for every single "domain.com" and
> "app.domain.com"
> 
> Anybody have a better solution?

teach your client how to drive the closest encloser discovery process.

--
Paul


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> Unfortunately, I can't touch the client.</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> I was looking for a more regexish solution but it seems I can't use \
wildcards or anything like:</div> <div style="font-family: Calibri, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <font size="2"><span style="font-size:11pt">&gt; local-zone: .com \
typetransparent<br> &gt; local-data: &quot;*.com ns 8.8.8.8&quot;</span></font></div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> I saw some reference to using stub zones if I wanted regex or \
wildcards but I'm not sure I can do something like the override with a stub zone. If \
i even manage to create false NS entries via the stub zone then the actual lookups \
for that domain will be forwarded  to that false (and probably incorrect NS)</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> Guess, I am stuck with some sort of automation to deploy all the \
local data overrides i need...<br> </div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> Paul Vixie \
&lt;paul@redbarn.org&gt;<br> <b>Sent:</b> Monday, March 23, 2020 3:52 PM<br>
<b>To:</b> unbound-users@lists.nlnetlabs.nl \
&lt;unbound-users@lists.nlnetlabs.nl&gt;<br> <b>Cc:</b> Amir A. \
&lt;thesubmitter@hotmail.com&gt;<br> <b>Subject:</b> Re: Always Respond to NS record \
requests....</font> <div>&nbsp;</div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On Monday, 23 March 2020 13:53:03 UTC Amir A. via \
Unbound-users wrote:<br> &gt; Hi,<br>
&gt; <br>
&gt; For our purposes we need a DNS server to always respond to&nbsp; NS record<br>
&gt; requests. The problem is subdomains seem not to have NS records created for<br>
&gt; them even if the root domain as an NS record created.<br>
&gt; <br>
&gt; Ideally<br>
&gt; <br>
&gt;&nbsp;&nbsp; 1.&nbsp; When a client asking for the NS record of a subdomain if it \
doesn't<br> &gt; exist I want unbound to return the NS record of the APEX domain<br>
&gt; <br>
&gt;&nbsp;&nbsp; 2.&nbsp; If that doesn't work then at least return a static entry \
for any NS<br> &gt; record request of ANY domain or subdomain<br>
<br>
you seem to be asking for a protocol change. finding the closest enclosing NS <br>
RRset is not something the local server can do without searching, and right <br>
now the protocol expects that the client who needs that data will drive that <br>
searching. one way to perform that searching is res_findzonecut():<br>
<br>
<a href="http://cvsweb.netbsd.org/bsdweb.cgi/src/external/bsd/libbind/dist/resolv/">http://cvsweb.netbsd.org/bsdweb.cgi/src/external/bsd/libbind/dist/resolv/</a><br>
 res_findzonecut.c?rev=1.1.1.1.14.1&amp;content-type=text/x-cvsweb-markup<br>
<br>
&gt; The solution I have right now is:<br>
&gt; <br>
&gt; local-zone: domain.com typetransparent<br>
&gt; local-data: &quot;app.domain.com ns 8.8.8.8&quot;<br>
&gt; <br>
&gt; but that would require me to add an entry for every single \
&quot;domain.com&quot; and<br> &gt; &quot;app.domain.com&quot;<br>
&gt; <br>
&gt; Anybody have a better solution?<br>
<br>
teach your client how to drive the closest encloser discovery process.<br>
<br>
-- <br>
Paul<br>
<br>
<br>
</div>
</span></font></div>
</body>
</html>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic