Unbound error with forward override and DNSSec

George Thessalonikefs george at nlnetlabs.nl
Fri Jun 25 09:04:45 UTC 2021

Hi Laurent,

If your domain is DNSSEC signed then instead of 'domain-insecure:'
you need to specify the trust anchor for that domain like:
     trust-anchor: "office.domain.com. IN DNSKEY ..."

Also if is the authoritative name server for that zone use 
'stub-zone:' instead of 'forward-zone:'. The latter is supposed to 
forward to another resolver.

BTW I see in your log a completely different domain (office.domain.nc) 
which I don't know how it is supposed to be linked to your singed 
office.domain.com domain.

Hope that helps,
-- George

On 25/06/2021 01:27, Laurent Dinclaux via Unbound-users wrote:
> Hello,
> I use Unbound with OPNsense. I have secured a domain with DNSSec, its 
> DNS server being on the WAN. It has an office.domain.com 
> <http://office.domain.com> subdomain (A record)
> I also have a local DNS server where that subdomain is set, so it 
> resolves locally to local IPs. So I am adding a domain override in 
> Unbound as such, which is as such in the configuration:
> private-domain: "office.domain.com <http://office.domain.com>"
> domain-insecure: "office.domain.com <http://office.domain.com>"
> forward-zone:
>     name: "office.domain.com <http://office.domain.com>"
>     forward-addr:
> And I get this error in Unbound:
> |2021-06-23T20:57:39unbound[60568][60568:1] info: NSEC3s for the 
> referral proved no delegation
> 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving 
> office.domain.nc <http://office.domain.nc>. DS IN
> 2021-06-23T20:57:39unbound[60568][60568:1] info: query response was ANSWER
> 2021-06-23T20:57:39unbound[60568][60568:1] info: reply from 
> <office.domain.nc <http://office.domain.nc>.>
> 2021-06-23T20:57:39unbound[60568][60568:1] info: response for 
> office.domain.nc <http://office.domain.nc>. A IN
> 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving 
> office.domain.nc <http://office.domain.nc>. A IN|
> I understand that error. If I disable the DNSSec feature in unbound, it 
> works.
> But I am wondering if there is anyway to work around that (without 
> disabling DNSSec checking), and have unbound give back the ANSWER 
> returned by that local DNS server ?
> Regards
> -- 
> Laurent
> laurent at knc.nc <mailto:laurent at knc.nc>

More information about the Unbound-users mailing list