Unbound error with forward override and DNSSec

Laurent Dinclaux laurent at knc.nc
Thu Jul 1 06:52:12 UTC 2021


Hello,

Thanks, I tried:

stub-zone:
        name: "office.amnc.nc"
        stub-addr: 10.0.8.6
        stub-first: yes
#       trust-anchor: "office.amnc.nc. IN DNSKEY 50076 10 1 [obfuscated
key]"

But I get "fatal error: could not read config file"

Le ven. 25 juin 2021 à 20:05, George Thessalonikefs via Unbound-users <
unbound-users at lists.nlnetlabs.nl> a écrit :

> Hi Laurent,
>
> If your domain is DNSSEC signed then instead of 'domain-insecure:'
> you need to specify the trust anchor for that domain like:
>      trust-anchor: "office.domain.com. IN DNSKEY ..."
>
> Also if 10.25.65.16 is the authoritative name server for that zone use
> 'stub-zone:' instead of 'forward-zone:'. The latter is supposed to
> forward to another resolver.
>
> BTW I see in your log a completely different domain (office.domain.nc)
> which I don't know how it is supposed to be linked to your singed
> office.domain.com domain.
>
> Hope that helps,
> -- George
>
> On 25/06/2021 01:27, Laurent Dinclaux via Unbound-users wrote:
> > Hello,
> >
> > I use Unbound with OPNsense. I have secured a domain with DNSSec, its
> > DNS server being on the WAN. It has an office.domain.com
> > <http://office.domain.com> subdomain (A record)
> >
> > I also have a local DNS server where that subdomain is set, so it
> > resolves locally to local IPs. So I am adding a domain override in
> > Unbound as such, which is as such in the configuration:
> >
> > private-domain: "office.domain.com <http://office.domain.com>"
> > domain-insecure: "office.domain.com <http://office.domain.com>"
> >
> > forward-zone:
> >     name: "office.domain.com <http://office.domain.com>"
> >     forward-addr: 10.25.65.16
> >
> > And I get this error in Unbound:
> >
> > |2021-06-23T20:57:39unbound[60568][60568:1] info: NSEC3s for the
> > referral proved no delegation
> > 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving
> > office.domain.nc <http://office.domain.nc>. DS IN
> > 2021-06-23T20:57:39unbound[60568][60568:1] info: query response was
> ANSWER
> > 2021-06-23T20:57:39unbound[60568][60568:1] info: reply from
> > <office.domain.nc <http://office.domain.nc>.> 10.25.65.16#53
> > 2021-06-23T20:57:39unbound[60568][60568:1] info: response for
> > office.domain.nc <http://office.domain.nc>. A IN
> > 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving
> > office.domain.nc <http://office.domain.nc>. A IN|
> >
> >
> > I understand that error. If I disable the DNSSec feature in unbound, it
> > works.
> >
> > But I am wondering if there is anyway to work around that (without
> > disabling DNSSec checking), and have unbound give back the ANSWER
> > returned by that local DNS server ?
> >
> > Regards
> > --
> > Laurent
> > laurent at knc.nc <mailto:laurent at knc.nc>
>


-- 
Laurent
laurent at knc.nc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210701/92218c6d/attachment.htm>


More information about the Unbound-users mailing list