Unbound does not honor forwarder DNSSEC verification?

la9k3 la9k3 at cocaine.ninja
Tue Mar 1 03:12:13 UTC 2016

Hi, I have been looking online for some time try to fix this problem, hopefully
this is the right last resort place.

Is there a way to make unbound honor my forwarder's dnssec validation?

For example, I use unbound as a caching forwarder and have "." set as a
forwarding zone that forwards everything to Google's public DNS

However, when I test dnssec, I get a valid reply from servers such
as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as
my normal resolver, in which case I get a SERVFAIL response.

Is this possible? I have trouble understanding why unbound would give a
valid reply, whereas the forwarder server, when queried directly, returns a SERVFAIL
empty answer.


More information about the Unbound-users mailing list