<div dir="ltr"><div>Hello,<br><br></div>I use Unbound with OPNsense. I have secured a domain with DNSSec, its DNS server being on the WAN. It has an <a href="http://office.domain.com">office.domain.com</a> subdomain (A record)<br><br>I
 also have a local DNS server where that subdomain is set, so it 
resolves locally to local IPs. So I am adding a domain override in 
Unbound as such, which is as such in the configuration:<br><div><div><br><span style="font-family:monospace">private-domain: "<a href="http://office.domain.com">office.domain.com</a>"<br>domain-insecure: "<a href="http://office.domain.com">office.domain.com</a>"</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">forward-zone:<br>   name: "<a href="http://office.domain.com">office.domain.com</a>"<br>   forward-addr: 10.25.65.16</span><br><br>And I get this error in Unbound:</div><div><br></div><div><pre style="margin:0px;padding:0px"><code class="gmail-bbc_code">2021-06-23T20:57:39<span style="white-space:pre">   </span>unbound[60568]<span style="white-space:pre">       </span>[60568:1] info: NSEC3s for the referral proved no delegation<span style="white-space:pre"> </span> <br>2021-06-23T20:57:39<span style="white-space:pre">       </span>unbound[60568]<span style="white-space:pre">       </span>[60568:1] info: resolving <a href="http://office.domain.nc">office.domain.nc</a>. DS IN<span style="white-space:pre">        </span> <br>2021-06-23T20:57:39<span style="white-space:pre">       </span>unbound[60568]<span style="white-space:pre">       </span>[60568:1] info: query response was ANSWER<span style="white-space:pre">    </span> <br>2021-06-23T20:57:39<span style="white-space:pre">       </span>unbound[60568]<span style="white-space:pre">       </span>[60568:1] info: reply from <<a href="http://office.domain.nc">office.domain.nc</a>.> 10.25.65.16#53<span style="white-space:pre">      </span> <br>2021-06-23T20:57:39<span style="white-space:pre">       </span>unbound[60568]<span style="white-space:pre">       </span>[60568:1] info: response for <a href="http://office.domain.nc">office.domain.nc</a>. A IN<span style="white-space:pre">      </span> <br>2021-06-23T20:57:39<span style="white-space:pre">       </span>unbound[60568]<span style="white-space:pre">       </span>[60568:1] info: resolving <a href="http://office.domain.nc">office.domain.nc</a>. A IN</code></pre></div><div><br></div><div>I understand that error. If I disable the DNSSec feature in unbound, it works.<br><br>But
 I am wondering if there is anyway to work around that (without 
disabling DNSSec checking), and have unbound give back the ANSWER 
returned by that local DNS server ?<br><br></div><div>Regards<br></div><div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Laurent<br><a href="mailto:laurent@knc.nc" target="_blank">laurent@knc.nc</a></div></div></div></div>