can unbound do conditional forwarders? (and bypass DNSSEC checking for THOSE queries)

Rob McEwen rob at
Mon Mar 27 16:18:39 UTC 2023

Thanks Steven. So, for my example scenario, I think this is the answer 
is the following? (please correct anything that's wrong or omitted)

(1) PUT THIS INTO THE "forward.conf" FILE:

   name: ""

(2) PUT THIS INTO THE "unbound.conf" file:

     domain-insecure: ""

And then restart the unbound service?

Then queries to would get their answers from, and DNSSEC wouldn't be checked for those - and all other 
queries would operate normally, without any of this applying to queries 
that don't end in

Is that correct? If I did anything that's incorrect, or if I missed a 
step - please let me know. (Also, as my original post mentioned, it's 
important that this forwarder NOT apply to other zones!)

Rob McEwen, invaluement

------ Original Message ------
>From "Steven Wills" <steven at>
To rob at
Date 3/27/2023 11:58:16 AM
Subject Re: can unbound do conditional forwarders? (and bypass DNSSEC 
checking for THOSE queries)

>This may help.
>There are plenty of guides to send Unblund as a forwarder. I like this 
>Best regards,
>-------- Original Message --------
>On Mar 27, 2023, 10:45, Rob McEwen via Unbound-users < 
>unbound-users at> wrote:
>>I'm new to this list - my apologies if this is already answered. Is 
>>there a way to do conditional forwarders in unbound? ...and bypass 
>>DNSSEC checking for THOSE queries? So to be clear, what I mean is 
>>being able to tell unbound to get answers for a particular zone from a 
>>particular IP address, bypassing the regular DNS system, but also not 
>>changing how other zones/hostnames/domains are handled at all. (which 
>>is why this is called a "conditional" forwarder - it only forwards 
>>under a certain "condition") Here's an example of how this is done in 
>>zone "" IN { type forward; forward only; forwarders { 
>>; }; };
>>So the scenario I need this for - is in those situations where one of 
>>my clients uses an RSYNC feed of the invaluement DNSBL, sets that up 
>>in a locally-hosted rbldnsd instance, then they want their unbound to 
>>gets answers ONLY for items that end with a particular hostname - 
>>directly from the local or LAN ip that the rbldnsd instance is 
>>listening on, but keeping all other queries in unbound the same as 
>>before. Also - for some years - conditional forwarding to rbldnsd was 
>>broken in latest-versions of BIND because there wasn't a way to do 
>>this in BIND without also doing DNSSEC checking (unless DNSSEC was 
>>completely turned off!) - and rbldnsd doesn't do DNSSEC (or at least 
>>not without some extra effort?) - so then starting with BIND 9.13.3, 
>>BIND added their "validate-except" option where DNSSEC checking can be 
>>turned off for particular zones, thus enabling the conditional 
>>forwarding to rbldnsd to work again, yet without having to turn DNSSEC 
>>completely off. (that zone just had to be specified in the 
>>"validate-except" option) So if unbound has a similar issue with 
>>DNSSEC being enforced on queries forwarded to rbldnsd, is there a 
>>similar solution? Or, in unbound, is DNSSEC compatibility when 
>>forwarding queries to rbldnsd not a problem in the first place? Thanks 
>>for your help with this!
>>--Rob McEwen, invaluement
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list