notify rejected in unbound 1.16.3

George (Yorgos) Thessalonikefs george at
Tue Nov 8 12:04:34 UTC 2022

Hi Peter,

ACL (also) comes before NOTIFY processing.
Make sure that the nameserver addresses are not denied (the default) by 

Something like:
         access-control: <IP address> allow

         access-control: <IP address> refuse_non_local

should work.
The latter will make sure to not allow recursion for the <IP address>.

Best regards,
-- Yorgos

On 08/11/2022 10:26, Peter Hessler via Unbound-users wrote:
> Hi All,
> I'm running unbound 1.16.3 as included in OpenBSD 7.2, and wanted to cache
> a public zone on it.  It is a caching resolver for a busy[1] website and
> since I use lots of dns entries in my configuration I want to have a
> local copy of the zone already in the cache.
> I added this stanza to my working configuration:
> auth-zone:
>      name: ""
>      primary: ""
> #    allow-notify: ""
>      fallback-enabled: yes
>      for-downstream: no
>      for-upstream: yes
> and configured my primary auth server to allow AXFR and send NOTIFYs to
> this system.  When I start unbound, it does an AXFR properly so it has
> the data.  However, when i send a NOTIFY I immediately get back a
> rejected message.  I've verified that the IP addresses are correct, and
> even though it should automatically allow the primary to send notifies
> I've tried with manually added allow-notify entries for both the
> dual-stack hostname and for the raw IP address of the sending server.
> Am I holding it wrong?
> -peter
> [1] Busy is subjective, but the logs scroll by faster than I can read
> them.

More information about the Unbound-users mailing list