notify rejected in unbound 1.16.3

Peter Hessler phessler at
Tue Nov 8 09:26:54 UTC 2022

Hi All,

I'm running unbound 1.16.3 as included in OpenBSD 7.2, and wanted to cache
a public zone on it.  It is a caching resolver for a busy[1] website and
since I use lots of dns entries in my configuration I want to have a
local copy of the zone already in the cache.

I added this stanza to my working configuration:

    name: ""
    primary: ""
#    allow-notify: ""
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes

and configured my primary auth server to allow AXFR and send NOTIFYs to
this system.  When I start unbound, it does an AXFR properly so it has
the data.  However, when i send a NOTIFY I immediately get back a
rejected message.  I've verified that the IP addresses are correct, and
even though it should automatically allow the primary to send notifies
I've tried with manually added allow-notify entries for both the
dual-stack hostname and for the raw IP address of the sending server.

Am I holding it wrong?


[1] Busy is subjective, but the logs scroll by faster than I can read

God made machine language; all the rest is the work of man.

More information about the Unbound-users mailing list