pspacek at redhat.com
Tue Jan 19 12:25:58 UTC 2016
On 19.1.2016 02:48, Dave Warren via Unbound-users wrote:
> On 2016-01-18 03:28, Havard Eidnes via Unbound-users wrote:
>> I'm trying to figure out how unbound can be configured to behave
>> with respect to query forwarding. In unbound.conf(5) I find this
>> particular gem:
>> forward-first: <yes or no>
>> If enabled, a query is attempted without the forward clause if
>> it fails. The data could not be retrieved and would have caused
>> SERVFAIL because the servers are unreachable, instead it is
>> tried without this clause. The default is no.
> Oddly this was perfectly clear to me when I first read it, but on each
> subsequent re-read, I find myself re-parsing the words and second-guessing :)
> With forward-first: no, Unbound will forward a query as configured for this
> zone, and if it ultimately reaches SERVFAIL state, that's what it returns to the
> With forward-first: yes, Unbound will forward a query and if it ultimately
> reaches SERVFAIL state, it will fall back on resolving via the default method as
> though there were no forwarding clause at all.
> However, only SERVFAIL will cause default resolution methods to be used, a
> NXDOMAIN or other no answer situations will be returned without further lookups.
> This can be useful if you wanted to, for example, forward a particular zone
> within a VPN if the VPN is up, but you still want to resolve via normal
> resolution (recursion, forwarding, whatever) if the VPN based authoritative
> servers are not available.
Longer explanation can be found on
Please let me know if the text helps or is unclear, we would be happy to
Petr Spacek @ Red Hat
More information about the Unbound-users