Unbound error with forward override and DNSSec

Laurent Dinclaux laurent at knc.nc
Thu Jun 24 23:27:42 UTC 2021


Hello,

I use Unbound with OPNsense. I have secured a domain with DNSSec, its DNS
server being on the WAN. It has an office.domain.com subdomain (A record)

I also have a local DNS server where that subdomain is set, so it resolves
locally to local IPs. So I am adding a domain override in Unbound as such,
which is as such in the configuration:

private-domain: "office.domain.com"
domain-insecure: "office.domain.com"

forward-zone:
   name: "office.domain.com"
   forward-addr: 10.25.65.16

And I get this error in Unbound:

2021-06-23T20:57:39	unbound[60568]	[60568:1] info: NSEC3s for the
referral proved no delegation
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: resolving
office.domain.nc. DS IN
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: query response was ANSWER	
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: reply from
<office.domain.nc.> 10.25.65.16#53
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: response for
office.domain.nc. A IN
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: resolving
office.domain.nc. A IN


I understand that error. If I disable the DNSSec feature in unbound, it
works.

But I am wondering if there is anyway to work around that (without
disabling DNSSec checking), and have unbound give back the ANSWER returned
by that local DNS server ?

Regards
-- 
Laurent
laurent at knc.nc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210625/9a1c0646/attachment.htm>


More information about the Unbound-users mailing list