<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 2016-01-18 03:28, Havard Eidnes via
Unbound-users wrote:<br>
</div>
<blockquote
cite="mid:20160118.122847.837752447471399137.he@uninett.no"
type="cite">
<pre wrap="">I'm trying to figure out how unbound can be configured to behave
with respect to query forwarding. In unbound.conf(5) I find this
particular gem:
forward-first: <yes or no>
If enabled, a query is attempted without the forward clause if
it fails. The data could not be retrieved and would have caused
SERVFAIL because the servers are unreachable, instead it is
tried without this clause. The default is no.
</pre>
</blockquote>
<br>
Oddly this was perfectly clear to me when I first read it, but on
each subsequent re-read, I find myself re-parsing the words and
second-guessing :)<br>
<br>
With forward-first: no, Unbound will forward a query as configured
for this zone, and if it ultimately reaches SERVFAIL state, that's
what it returns to the client.<br>
<br>
With forward-first: yes, Unbound will forward a query and if it
ultimately reaches SERVFAIL state, it will fall back on resolving
via the default method as though there were no forwarding clause at
all.<br>
<br>
However, only SERVFAIL will cause default resolution methods to be
used, a NXDOMAIN or other no answer situations will be returned
without further lookups. This can be useful if you wanted to, for
example, forward a particular zone within a VPN if the VPN is up,
but you still want to resolve via normal resolution (recursion,
forwarding, whatever) if the VPN based authoritative servers are not
available.<br>
<br>
<pre class="moz-signature" cols="72">--
Dave Warren
<a class="moz-txt-link-freetext" href="http://www.hireahit.com/">http://www.hireahit.com/</a>
<a class="moz-txt-link-freetext" href="http://ca.linkedin.com/in/davejwarren">http://ca.linkedin.com/in/davejwarren</a>
</pre>
</body>
</html>