Getting Refused from stub-zone authoritative query record

Thu Dec 8 13:08:07 UTC 2022

2 Unbound
[dns1 with separate VPS||VM port 53 ]
and
[dns2 with separate VPS||VM port 53]

Both dns1 & dns2 have global IPs with a local alias on the same 
interface igb0 and local IP subnet is on same as the 2 NSD.

access-control: allow_snoop = I changed it from allow for testing 
neither works and access-control I added local IP.

2 NSD
[ns1 with separate VPS||VM port 53]
and
[ns2 with separate VPS||VM port 53]

ns1 (Master) sockstat -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN 
ADDRESS
nsd      nsd        40026 5  udp4   192.168.200.200:53    *:*
nsd      nsd        40026 6  tcp4   192.168.200.200:53    *:*
nsd      nsd        40026 7  udp4   192.168.2.136:53      *:*
nsd      nsd        40026 8  tcp4   192.168.2.136:53      *:*
nsd      nsd        40026 10 tcp4   127.0.0.1:8952        *:*
nsd      nsd        10706 10 tcp4   127.0.0.1:8952        *:*

ns2 (Slave) sockstat -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN 
ADDRESS
nsd      nsd        33332 5  udp4   192.168.200.220:53    *:*
nsd      nsd        33332 6  tcp4   192.168.200.220:53    *:*
nsd      nsd        33332 7  udp4   192.168.2.147:53      *:*
nsd      nsd        33332 8  tcp4   192.168.2.147:53      *:*
nsd      nsd        33332 10 tcp4   127.0.0.1:8952        *:*
nsd      nsd        24639 10 tcp4   127.0.0.1:8952        *:*

I am using stub-zone on the unbounds (dns1 & dns2) to connect to the ns1 
(master) and while all the zone-file (ns1/ns2) seems to be working/no 
error via nsd-checkzone I can't get a reply of the records. Below are 
the logs from unbound.log.

Dec 07 23:29:49 unbound[495:0] debug: Incoming reply addr = ip4 
192.168.200.200 port 53 (len 16)
Dec 07 23:29:49 unbound[495:0] debug: lookup size is 1 entries
Dec 07 23:29:49 unbound[495:0] debug: received udp reply.
Dec 07 23:29:49 unbound[495:0] debug: udp message[53:0] 
46F380050001000000000001036E73310A6A6541686F6C64496E6703634F4D000006000100002904D0000080000006000F00020014
Dec 07 23:29:49 unbound[495:0] debug: outnet handle udp reply
Dec 07 23:29:49 unbound[495:0] debug: measured roundtrip at 2 msec
Dec 07 23:29:49 unbound[495:0] debug: svcd callbacks start
Dec 07 23:29:49 unbound[495:0] debug: good 0x20-ID in reply qname
Dec 07 23:29:49 unbound[495:0] debug: worker svcd callback for qstate 
0x804ae7150
Dec 07 23:29:49 unbound[495:0] debug: mesh_run: start
Dec 07 23:29:49 unbound[495:0] debug: iterator[module 1] operate: 
extstate:module_wait_reply event:module_event_reply
Dec 07 23:29:49 unbound[495:0] info: iterator operate: query 
example.com. SOA IN
Dec 07 23:29:49 unbound[495:0] debug: process_response: new external 
response event
Dec 07 23:29:49 unbound[495:0] info: scrub for example.com. NS IN
Dec 07 23:29:49 unbound[495:0] info: response for example.com. SOA IN
Dec 07 23:29:49 unbound[495:0] info: reply from <example.com.> 
192.168.200.200#53
Dec 07 23:29:49 unbound[495:0] info: incoming scrubbed packet: ;; 
->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0
;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
example.com.     IN      SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
;; MSG SIZE  rcvd: 36

Dec 07 23:29:49 unbound[495:0] debug: iter_handle processing q with 
state QUERY RESPONSE STATE
Dec 07 23:29:49 unbound[495:0] info: query response was THROWAWAY
Dec 07 23:29:49 unbound[495:0] debug: iter_handle processing q with 
state QUERY TARGETS STATE
Dec 07 23:29:49 unbound[495:0] info: processQueryTargets: example.com. 
SOA IN
Dec 07 23:29:49 unbound[495:0] debug: processQueryTargets: targetqueries 
0, currentqueries 0 sentcount 5
Dec 07 23:29:49 unbound[495:0] info: DelegationPoint<example.com.>: 0 
names (0 missing), 1 addrs (0 result, 0 avail) parentNS
Dec 07 23:29:49 unbound[495:0] debug:    ip4 192.168.200.200 port 53 
(len 16)
Dec 07 23:29:49 unbound[495:0] debug: rpz: iterator module callback: 
have_rpz=0
Dec 07 23:29:49 unbound[495:0] debug: No more query targets, attempting 
last resort
Dec 07 23:29:49 unbound[495:0] debug: configured stub or forward servers 
failed -- returning SERVFAIL
Dec 07 23:29:49 unbound[495:0] debug: store error response in message 
cache
Dec 07 23:29:49 unbound[495:0] debug: return error response SERVFAIL
Dec 07 23:29:49 unbound[495:0] debug: mesh_run: iterator module exit 
state is module_finished
Dec 07 23:29:49 unbound[495:0] debug: validator[module 0] operate: 
extstate:module_wait_module event:module_event_moddone
Dec 07 23:29:49 unbound[495:0] info: validator operate: query 
example.com. SOA IN
Dec 07 23:29:49 unbound[495:0] debug: validator: nextmodule returned
Dec 07 23:29:49 unbound[495:0] debug: cannot validate non-answer, rcode 
SERVFAIL
Dec 07 23:29:49 unbound[495:0] debug: mesh_run: validator module exit 
state is module_finished
Dec 07 23:29:49 unbound[495:0] error: SERVFAIL <example.com. SOA IN>: 
all the configured stub or forward servers failed, at zone example.com. 
from 192.168.200.200 got REFUSED
Dec 07 23:29:49 unbound[495:0] debug: comm point stop listening 27
Dec 07 23:29:49 unbound[495:0] debug: comm point start listening 27 
(30000 msec)
Dec 07 23:29:49 unbound[495:0] debug: startlistening 27 mode w
Dec 07 23:29:49 unbound[495:0] debug: query took 1.336436 sec
Dec 07 23:29:49 unbound[495:0] reply: 192.168.200.162 example.com. SOA 
IN SERVFAIL 1.336436 0 36
Dec 07 23:29:49 unbound[495:0] info: mesh_run: end 0 recursion states (0 
with reply, 0 detached), 0 waiting replies, 1 recursion replies sent, 0 
replies dropped, 0 states jostled out

I am also using dnstop to get some statistics in NSD (ns1 =master), 
query seems to me like is coming into the stub-zones / ns1 (master)... 
yet the reply getting refused in unbound. The unbound works for zones 
outside of my stub-zones for example drill -A google.com works fine with 
DNSSEC via forward-addr.

I can't get the stub-zones authoritative to work.

Any help will be greatly appreciated, I am using OS FreeBSD.