Unbound does not forward query to NSD

François RONVAUX francois.ronvaux at gmail.com
Thu Mar 25 15:14:01 UTC 2021 

Hello Tom,


Thanks for your reply.

This is what I get after restarting Unbound with "verbosity: 3" settings...

root at ns1 [14:53:10]:/var/log$ dig mydomain.net

root at ns1 [14:53:10]:/var/log$ tail -f daemon
Mar 25 14:53:10 ns1 unbound: [84765:0] notice: init module 0: validator
Mar 25 14:53:10 ns1 unbound: [84765:0] notice: init module 1: iterator
Mar 25 14:53:10 ns1 unbound: [84765:0] info: DelegationPoint<mydomain.net.>:
0 names (0 missing), 2 addrs (0 result, 2 avail) parentNS
Mar 25 14:53:10 ns1 unbound: [84765:0] info: DelegationPoint<.>: 13 names
(0 missing), 26 addrs (0 result, 26 avail) parentNS
Mar 25 14:53:10 ns1 unbound: [84765:0] info: start of service (unbound
1.11.0).
Mar 25 14:54:20 ns1 unbound: [84765:0] query: 127.0.0.1 mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query
mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: resolving mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: processQueryTargets:
mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: sending query: mydomain.net. A
IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: iterator operate: query
mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: response for mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: reply from <mydomain.net.>
ip_address_ns2#53
Mar 25 14:54:20 ns1 unbound: [84765:0] info: query response was ANSWER
Mar 25 14:54:20 ns1 unbound: [84765:0] info: finishing processing for
mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query
mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: prime trust anchor
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query .
DNSKEY IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: resolving . DNSKEY IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: priming . IN NS
Mar 25 14:54:20 ns1 unbound: [84765:0] info: iterator operate: query . NS IN
[...]
around 1k lines of queries and answers !
[...]
Mar 25 14:54:20 ns1 unbound: [84765:0] info: response for mydomain.net. DS
IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: reply from <net.>
192.31.80.30#53
Mar 25 14:54:20 ns1 unbound: [84765:0] info: query response was nodata
ANSWER
Mar 25 14:54:20 ns1 unbound: [84765:0] info: finishing processing for
mydomain.net. DS IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query
mydomain.net. DS IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: NSEC3s for the referral proved
no DS.
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query
mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: Verified that unsigned
response is INSECURE
Mar 25 14:54:20 ns1 unbound: [84765:0] reply: 127.0.0.1 mydomain.net. A IN
NOERROR 0.195477 0 57


So it seems that the NSD server (ns2.mydomain.net) is queried first but the
query still goes up to the root DNS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210325/282c0f3c/attachment.htm>

More information about the Unbound-users mailing list