<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">192.18.1 is currently delegated, and it has an nsec covering it until 192.18.10. So it could happen that activating validation, unbound is doing aggressive nsec, and answers nxdomain.<br><br>Hugo<br><br><br><div class="gmail_quote">On July 25, 2022 8:38:51 PM GMT-04:00, Peter Fraser via Unbound-users <unbound-users@lists.nlnetlabs.nl> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">

<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="background-color:rgb(255, 255, 255);display:inline !important">Hi All,</span>
<div style="margin:0px;background-color:rgb(255, 255, 255)">I would really appreciate some help with this strange problem I am having. I am running unbound 1.16.1 on FreeBSD 13.1 with NSD. I have only one strange problem. I have two subnets on my network, 192.18.1.0/24
 and 192.168.2.0/24. All forward lookups on both subnets are fine but reverse lookups for the 192.18.1.0/24 subnet fails. I notice though that when auto-trust-anchor-file is disabled, it works. Not sure why since none of my zone records are signed anyway.</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)"><br>
</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">The server that unbound is on has IP address is 192.18.1.12. This is my setup below.</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)"><br>
</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)"><br>
</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">interface: 192.18.1.12</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">do-ip4: yes</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">access-control: 0.0.0.0/0 refuse</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">access-control: 127.0.0.0/8 allow</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">access-control: 192.18.1.0/24 allow</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">access-control: 192.168.2.0/24 allow</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)"><br>
</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">local-zone: "my_domain.net." nodefault</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">local-zone: "168.192.in-addr.arpa." nodefault</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">local-zone: "18.192.in-addr.arpa." nodefault</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)"><br>
</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)"><br>
</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">stub-zone:</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">  name: "my_domain.net"</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">  stub-addr: 192.18.1.12@53000</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)"><br>
</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">stub-zone:</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">  name: "1.18.192.in-addr.arpa."</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">  stub-addr: 192.18.1.12@53000</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)"><br>
</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">stub-zone:</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">  name: "2.168.192.in-addr.arpa."</div>
<div style="margin:0px;background-color:rgb(255, 255, 255)">  stub-addr: 192.18.1.12@53000</div>
<br class="Apple-interchange-newline">
<br>
</div>

</blockquote></div></body></html>