unbound and nsd on the same machine - what am I missing?

Tue Apr 28 06:29:37 UTC 2020

I'm running nsd and unbound on my OpenBSD server.

nsd is listening on 127.0.0.1:53 and is master for two internal zones:
    example.com
    10.10.10.in-addr.arpa

-----unbound.conf-----
unbound is listening on 10.10.10.1:53
server:
    interface 10.10.10.1
    interface: ::1
    access-control: 0.0.0.0/0 refuse
    access-control:  10.10.10.0/24 allow
    access-control:  ::0/0 refuse
    access-control: ::1 allow

    hide-identity: yes
    hide-version:  yes

    do-not-query-localhost: no  # I was really surprised this was needed
    local-zone:  "10.10.10.in-addr.arpa" nodefault  # is this needed?

stub-zone:
    name: "example.com"
    stub-addr: 127.0.0.1

stub-zone:
    name: "10.10.10.in-addr.arpa."
    stub-addr: 127.0.0.1
---------------------------

When I run nslookup, and set my server to 10.10.10.1 (unbound listening on
53), I get the following results:

amazon:  works
host.example.com:  works
10.10.10.1:  does not work (server can't find 1.10.10.10.in-addr.arpa.:
NXDOMAIN)

When I point nslookup to 127.0.0.1 (nsd listening on 53), I get the
following results:

amazon.com:  NXDOMAIN (expected)
host.example.com:  10.10.10.1
10.10.10.1:  host.example.com

I was really banging my head against the wall until I saw
do-not-query-localhost (why do I need to set that when I set up a stub-zone
- more importantly, why doesn't the stub-zone documentation mention the
need for this?!)

What am I missing to get results for the reverse lookup?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200428/03d51f3c/attachment.htm>