How to use multiple root-hints files to recursively resolve different zones?

Danny Bautista pyrolagus at
Mon Sep 30 22:24:11 UTC 2019

I have unbound set up to do recursive domain name resolution using the root-hints file, but I would also like to be able to 
recursively resolve OpenNIC domain names using the hints for OpenNIC. 
I'm using the config below, and whenever I try to lookup opennic.glue, 
it just tries the regular nameservers rather than the ones specified in 
the "glue" auth-zone root-hints file (and fails, of course). What am I 
doing wrong? Is auth-zone even the right approach?

   interface: ::1
   chroot: ""
   use-syslog: yes
   do-daemonize: no
   username: "unbound"
   directory: "/etc/unbound"
   tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
   root-hints: root.hints
   trust-anchor-file: trusted-key.key
   log-servfail: yes

   name: "glue"
   zonefile: "/etc/unbound/opennic.hints"
   for-downstream: no
   fallback-enabled: yes

     control-enable: yes
     control-port: 8953
     server-key-file: "/etc/unbound/unbound_server.key"
     server-cert-file: "/etc/unbound/unbound_server.pem"
     control-key-file: "/etc/unbound/unbound_control.key"
     control-cert-file: "/etc/unbound/unbound_control.pem"

More information about the Unbound-users mailing list