Unbound error with forward override and DNSSec

George Thessalonikefs george at nlnetlabs.nl
Sun Jul 4 14:21:12 UTC 2021 

Hi Laurent,

I suppose you ran unbound-control to try and reload the file.
You can run:
	unbound-checkconf
to see what is wrong with your configuration file.

If that produces no errors then maybe you have chroot enabled and the 
configuration file is outside of the chroot? If so, stopping and 
starting Unbound should work. You could also move the configuration file 
in the chroot if that is an option.

BTW the option 'trust-anchor:' is an option for the 'server:' section, 
not the 'stub-zone:' section.

Also your DNSKEY record seems weird.
This needs to be the same record as you get when querying for:
	office.amnc.nc. DNSKEY
with either 'dig' or 'drill'.
That means the public key as it is supposed to be published in the zone.

Best regards,
-- George


On 01/07/2021 08:52, Laurent Dinclaux wrote:
> Hello,
> 
> Thanks, I tried:
> 
> stub-zone:
>          name: "office.amnc.nc <http://office.amnc.nc>"
>          stub-addr: 10.0.8.6
>          stub-first: yes
> #       trust-anchor: "office.amnc.nc <http://office.amnc.nc>. IN DNSKEY 
> 50076 10 1 [obfuscated key]"
> 
> But I get "fatal error: could not read config file"
> 
> Le ven. 25 juin 2021 à 20:05, George Thessalonikefs via Unbound-users 
> <unbound-users at lists.nlnetlabs.nl 
> <mailto:unbound-users at lists.nlnetlabs.nl>> a écrit :
> 
>     Hi Laurent,
> 
>     If your domain is DNSSEC signed then instead of 'domain-insecure:'
>     you need to specify the trust anchor for that domain like:
>           trust-anchor: "office.domain.com <http://office.domain.com>.
>     IN DNSKEY ..."
> 
>     Also if 10.25.65.16 is the authoritative name server for that zone use
>     'stub-zone:' instead of 'forward-zone:'. The latter is supposed to
>     forward to another resolver.
> 
>     BTW I see in your log a completely different domain
>     (office.domain.nc <http://office.domain.nc>)
>     which I don't know how it is supposed to be linked to your singed
>     office.domain.com <http://office.domain.com> domain.
> 
>     Hope that helps,
>     -- George
> 
>     On 25/06/2021 01:27, Laurent Dinclaux via Unbound-users wrote:
>      > Hello,
>      >
>      > I use Unbound with OPNsense. I have secured a domain with DNSSec,
>     its
>      > DNS server being on the WAN. It has an office.domain.com
>     <http://office.domain.com>
>      > <http://office.domain.com <http://office.domain.com>> subdomain
>     (A record)
>      >
>      > I also have a local DNS server where that subdomain is set, so it
>      > resolves locally to local IPs. So I am adding a domain override in
>      > Unbound as such, which is as such in the configuration:
>      >
>      > private-domain: "office.domain.com <http://office.domain.com>
>     <http://office.domain.com <http://office.domain.com>>"
>      > domain-insecure: "office.domain.com <http://office.domain.com>
>     <http://office.domain.com <http://office.domain.com>>"
>      >
>      > forward-zone:
>      >     name: "office.domain.com <http://office.domain.com>
>     <http://office.domain.com <http://office.domain.com>>"
>      >     forward-addr: 10.25.65.16
>      >
>      > And I get this error in Unbound:
>      >
>      > |2021-06-23T20:57:39unbound[60568][60568:1] info: NSEC3s for the
>      > referral proved no delegation
>      > 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving
>      > office.domain.nc <http://office.domain.nc>
>     <http://office.domain.nc <http://office.domain.nc>>. DS IN
>      > 2021-06-23T20:57:39unbound[60568][60568:1] info: query response
>     was ANSWER
>      > 2021-06-23T20:57:39unbound[60568][60568:1] info: reply from
>      > <office.domain.nc <http://office.domain.nc>
>     <http://office.domain.nc <http://office.domain.nc>>.> 10.25.65.16#53
>      > 2021-06-23T20:57:39unbound[60568][60568:1] info: response for
>      > office.domain.nc <http://office.domain.nc>
>     <http://office.domain.nc <http://office.domain.nc>>. A IN
>      > 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving
>      > office.domain.nc <http://office.domain.nc>
>     <http://office.domain.nc <http://office.domain.nc>>. A IN|
>      >
>      >
>      > I understand that error. If I disable the DNSSec feature in
>     unbound, it
>      > works.
>      >
>      > But I am wondering if there is anyway to work around that (without
>      > disabling DNSSec checking), and have unbound give back the ANSWER
>      > returned by that local DNS server ?
>      >
>      > Regards
>      > --
>      > Laurent
>      > laurent at knc.nc <mailto:laurent at knc.nc> <mailto:laurent at knc.nc
>     <mailto:laurent at knc.nc>>
> 
> 
> 
> -- 
> Laurent
> laurent at knc.nc <mailto:laurent at knc.nc>

More information about the Unbound-users mailing list