How to use multiple root-hints files to recursively resolve different zones?

George Thessalonikefs george at
Tue Oct 1 10:32:43 UTC 2019

Hi Danny,

I am not accustomed with opennic's alternate root and their inner
workings but I can point out some things.

auth-zone is indeed the wrong place to put root hints.

You can follow these instructions from the opennic wiki
( mainly the part about the
`root-hints:` option and how to get the file content.

You will also need to add the opennic trust anchor in your
`trust-anchor-file:` file in order to resolve their DNSSEC signed
domains  (

With these you should be up and running.

However please note that by doing that you trust an additional root key
and may face domain name collisions if the same tlds are registered by
both opennic and ICANN (internic). I *suppose* that in that case the
opennic tld will take precedence.

Hope that helps.

-- George

On 01/10/2019 00:24, Danny Bautista via Unbound-users wrote:
> I have unbound set up to do recursive domain name resolution using the
> root-hints file, but I would also like to be able to
> recursively resolve OpenNIC domain names using the hints for OpenNIC.
> I'm using the config below, and whenever I try to lookup opennic.glue,
> it just tries the regular nameservers rather than the ones specified in
> the "glue" auth-zone root-hints file (and fails, of course). What am I
> doing wrong? Is auth-zone even the right approach?
> server:
>   interface:
>   interface: ::1
>   chroot: ""
>   use-syslog: yes
>   do-daemonize: no
>   username: "unbound"
>   directory: "/etc/unbound"
>   tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
>   root-hints: root.hints
>   trust-anchor-file: trusted-key.key
>   log-servfail: yes
> auth-zone:
>   name: "glue"
>   #master:
>   zonefile: "/etc/unbound/opennic.hints"
>   for-downstream: no
>   for-upstream:yes
>   fallback-enabled: yes
> remote-control:
>     control-enable: yes
>     control-interface:
>     control-port: 8953
>     server-key-file: "/etc/unbound/unbound_server.key"
>     server-cert-file: "/etc/unbound/unbound_server.pem"
>     control-key-file: "/etc/unbound/unbound_control.key"
>     control-cert-file: "/etc/unbound/unbound_control.pem"

More information about the Unbound-users mailing list