Networking - DNS - Unbound - Authority Zones

auth-zone:
   name: "."
   primary: 199.9.14.201         # b.root-servers.net
   primary: 192.33.4.12          # c.root-servers.net
   primary: 199.7.91.13          # d.root-servers.net
   primary: 192.5.5.241          # f.root-servers.net
   primary: 192.112.36.4         # g.root-servers.net
   primary: 193.0.14.129         # k.root-servers.net
   primary: 192.0.47.132         # xfr.cjr.dns.icann.org
   primary: 192.0.32.132         # xfr.lax.dns.icann.org
   primary: 2001:500:200::b      # b.root-servers.net
   primary: 2001:500:2::c        # c.root-servers.net
   primary: 2001:500:2d::d       # d.root-servers.net
   primary: 2001:500:2f::f       # f.root-servers.net
   primary: 2001:500:12::d0d     # g.root-servers.net
   primary: 2001:7fd::1          # k.root-servers.net
   primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
   primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
   fallback-enabled: yes
   for-downstream: no
   for-upstream: yes
auth-zone:
   name: "example.org"
   for-downstream: yes
   for-upstream: yes
   zonefile: "example.org.zone"

NOTE: The data for these zones is kept locally, from a file or downloaded.

The data can be served to downstream clients, or used instead of the upstream (which saves a lookup to the upstream).

The first example has a copy of the root for local usage.

The second serves example.org authoritatively.

name “.” covers all queries.
primary: fetches with AXFR and IXFR, or url to zonefile.
fallback-enabled: has default no. If enabled, unbound falls back to querying the internet as a resolver for this zone when lookups fail.
for-downstream: has default yes. If enabled, unbound serves authority responses to downstream clients for this zone.
for-upstream: has default yes. If enabled, unbound fetches data from this data collection for answering recursion queries.
zonefile: reads from file (and writes to it if you also download it).