validating nxdomain for subdomains of data-less labels in auth-zone

Michael Tokarev mjt at
Fri Nov 11 14:09:01 UTC 2022

11.11.2022 16:54, George (Yorgos) Thessalonikefs wrote:
> Now I spot that this is auth-zone.

Yes it is auth-zone.  It is set up this way because it is a remote office with
somewhat flaky connectivity and I thought about always having whole thing locally
instead of relying for the upstream during all the runtime.

> Which version of Unbound is that?

It is 1.16.3 currently.  I thought about giving 1.17 a try, - upgraded to 1.17.0,
with exactly the same effect. (It is Debian package of Unbound, - I'm trying to
keep it current in Debian).

> I would first try with stub-zone instead and point to the NSD instance you mentioned.

The stub-zone works, it worked for many years (with not a best reliability, see
above).  I just tested it again - switching from auth-zone to stub-zone with the
same stub-address works just fine.

It is only the auth-zone which dosn't work - I removed the temporary TXT record and
it started failing again.



More information about the Unbound-users mailing list