NXDOMAIN on unbound with local stub TLD

[Laura Smith]

Hi George

Version 1.13.2

Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound --disable-shared --disable-explicit-port-randomisation --without-pthreads
Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.4.1
Linked modules: dns64 respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs at nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

------- Original Message -------

On Monday, February 7th, 2022 at 13:18, George Thessalonikefs via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:

> Hi Laura,
>
> I don't see something wrong with your configuration.
>
> The
>
> local-zone: "bar.corp" nodefault
>
> is not needed because bar.corp is not one of the default zones; unless
>
> you use that domain as a placeholder here.
>
> Which version of unbound is this?
>
> Could you provide the 'unbound -V' output?
>
> Is this reproducible in your case?
>
> Best regards,
>
> -- George
>
> On 06/02/2022 16:07, Laura Smith via Unbound-users wrote:
>
> > I would appreciate a second pair of eyes on the below problem. I should say that I think I subsequently solved it by adding "stub-no-cache: yes" to the unbound config shown (early days, still monitoring it) but I would welcome any additional insight/opinion (and perhaps even suggestions as to if there are ways to improve the config).
> >
> > Weird problem where I am getting an NXDOMAIN (per below) on my internal "bar.corp" domain.
> >
> > My unbound config is as follows. If I do the same dig query directly against the stub resolvers, it works with no issue.
> >
> > I should add that this is/was a long-standing config that was working fine for a long time until it mysteriously did not.
> >
> > server:
> >
> > interface: 127.0.0.1
> >
> > extra interface: entries removed for list post
> > ==============================================
> >
> > do-ip6: yes
> >
> > access-control: 0.0.0.0/0 refuse
> >
> > access-control: ::0/0 refuse
> >
> > access-control: 127.0.0.0/8 allow
> >
> > access-control: ::1 allow
> >
> > access-control: 10.0.0.0/8 allow
> >
> > hide-identity: yes
> >
> > hide-version: yes
> >
> > hide-version: yes
> >
> > auto-trust-anchor-file: "/var/unbound/db/root.key"
> >
> > prefetch: yes
> >
> > prefetch-key: yes
> >
> > rrset-roundrobin: yes
> >
> > minimal-responses: yes
> >
> > root-hints: "/var/unbound/db/named.root"
> >
> > domain-insecure: "bar.corp"
> >
> > local-zone: "bar.corp" nodefault
> >
> > local-zone: "use-application-dns.net" always_nxdomain
> >
> > remote-control:
> >
> > control-enable: yes
> >
> > control-use-cert: no
> >
> > control-interface: /var/run/unbound.sock
> >
> > stub-zone:
> >
> > name: "bar.corp"
> >
> > stub-addr: 10.0.0.50
> >
> > stub-addr: 10.0.1.50
> >
> > ; <<>> DiG 9.16.22-Debian <<>> foo.bar.corp
> >
> > ;; global options: +cmd
> >
> > ;; Got answer:
> >
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46113
> >
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> >
> > ; EDNS: version: 0, flags:; udp: 1232
> >
> > ;; QUESTION SECTION:
> >
> > ;foo.bar.corp. IN A
> >
> > ;; AUTHORITY SECTION:
> >
> > . 3501 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022020600 1800 900 604800 86400
> >
> > ;; Query time: 4 msec
> >
> > ;; SERVER: <MY_UNBOUND_RESOLVER_IP>
> >
> > ;; WHEN: Sun Feb 06 12:21:04 GMT 2022
> >
> > ;; MSG SIZE rcvd: 122