<div dir="ltr">Try:<div><br></div><div><div>server:</div><div> do-not-query-localhost: no</div></div><div><br></div><div><br></div><div>Regards,</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-05-20 20:13 GMT-03:00 Måns Nilsson via Unbound-users <span dir="ltr"><<a href="mailto:unbound-users@unbound.net" target="_blank">unbound-users@unbound.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Greetings,<br>
<br>
I've got a resolve server setup, using OpenBSD, unbound, and nsd. (hence the crosspost)<br>
<br>
The setup is as follows;<br>
<br>
unbound is listening on a loopback interface, lo1, using an address that<br>
is anycast, let's call it <a href="http://192.0.2.53/32" rel="noreferrer" target="_blank">192.0.2.53/32</a>. This address is configured as<br>
resolver in clients. This works.<br>
<br>
However, this particular machine is slated to go walkabout in a travel<br>
kit to a place where it might lose its connection. We still want it to<br>
work and keep on serving names, since some resources will be local.<br>
<br>
Therefore, we've got a nsd instance running on the same host. The nsd is<br>
slaving a number of the important zones we need off of the normal servers,<br>
and we intend to use stub/forward in unbound to prefer this instance --<br>
a lot of firewalling means we can't freely recurse from the root anyway,<br>
so such a setup is required regardless. We're forwarding to a pair of<br>
DMZ resolver hosts for external names, and to internal name servers for<br>
our own stuff.<br>
<br>
I initially tried to make nsd listen on 127.0.0.53 using an extra<br>
loopback interface (in contrast to a statement by a PFY working at a<br>
Swedish ISP back in the dotcom bubble days, we feel that we can afford<br>
loopback interfaces... True story.) and it works. Half-way. I can dig<br>
@<a href="http://127.0.0.53" rel="noreferrer" target="_blank">127.0.0.53</a> and get excellent answers back. But unbound refuses to use<br>
the address, and returns SERVFAIL. As soon as I make nsd listen on a<br>
physical interface on the host and change the unbound config accordingly<br>
so that it points to that address for forwarding/stub address, things<br>
start working.<br>
<br>
Is this an issue in unbound or OpenBSD (5.9)?<br>
<br>
Bonus question: Forward or Stub? I never really got through to understand<br>
the differences ;-)<br>
<br>
Thanks for any pointers in this.<br>
<span class="HOEnZb"><font color="#888888">--<br>
Måns Nilsson primary/secondary/besserwisser/machina<br>
MN-1334-RIPE <a href="tel:%2B46%20705%20989668" value="+46705989668">+46 705 989668</a><br>
We have DIFFERENT amounts of HAIR --<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Eduardo Schoedler<br></div></div>
</div>