unbound not accepting a stub or forward pointing to a loopback interface.

Måns Nilsson mansaxel at besserwisser.org
Fri May 20 23:13:40 UTC 2016


I've got a resolve server setup, using OpenBSD, unbound, and nsd. (hence the crosspost)

The setup is as follows; 

unbound is listening on a loopback interface, lo1, using an address that
is anycast, let's call it This address is configured as
resolver in clients. This works.

However, this particular machine is slated to go walkabout in a travel
kit to a place where it might lose its connection. We still want it to
work and keep on serving names, since some resources will be local.

Therefore, we've got a nsd instance running on the same host. The nsd is
slaving a number of the important zones we need off of the normal servers,
and we intend to use stub/forward in unbound to prefer this instance --
a lot of firewalling means we can't freely recurse from the root anyway,
so such a setup is required regardless. We're forwarding to a pair of
DMZ resolver hosts for external names, and to internal name servers for
our own stuff.

I initially tried to make nsd listen on using an extra
loopback interface (in contrast to a statement by a PFY working at a
Swedish ISP back in the dotcom bubble days, we feel that we can afford
loopback interfaces... True story.) and it works. Half-way. I can dig
@ and get excellent answers back. But unbound refuses to use 
the address, and returns SERVFAIL.  As soon as I make nsd listen on a
physical interface on the host and change the unbound config accordingly
so that it points to that address for forwarding/stub address, things
start working.

Is this an issue in unbound or OpenBSD (5.9)? 

Bonus question: Forward or Stub? I never really got through to understand
the differences ;-)

Thanks for any pointers in this. 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
We have DIFFERENT amounts of HAIR --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20160521/d0134536/attachment.bin>

More information about the Unbound-users mailing list