(re)adding local resolver.arpa zone

Havard Eidnes he at uninett.no
Thu Oct 16 09:06:56 UTC 2025 

Hi,

I am now (finally!) after the earlier round of debugging memory
leaks in unbound with use of DoH re-enabling DoT and DoH on my
unbound instance, since the fix is included in unbound 1.23.1.

Part and parcel of that is getting a local customized
resolver.arpa zone loaded, to enable use of RFC 9462, "Discovery
of Designated Resolvers".

However, I am having a hard time getting my unbound 1.23.1 to
properly load and use my own local resolver.arpa zone.

# unbound-control list_local_zones

says among other things

service.arpa. static
resolver.arpa. static
test. static

and

# unbound-control list_auth_zones

includes info about my locally added "auth-zone":

resolver.arpa.  serial 1

(the other zone listed here is an RPZ zone which is irrelevant
here.)

However, it is apparent that when I query this unbound instance
about resolver.arpa, I get the answer from the "local zone", and
not my own customized resolver.arpa zone:

% dig @$unbound_server resolver.arpa. soa
...
;; ANSWER SECTION:
resolver.arpa.          10800   IN      SOA     localhost. nobody.invalid. 1 3600 1200 604800 10800
...

This is quite different from what I have in my own "auth-zone"
which is configured with

auth-zone:
        name: resolver.arpa
        zonefile: "pz/resolver.arpa"

I have been perusing the unbound.conf(5) man page and have the
following remarks:

1) It is somewhat unclear whether "auth-zone:" should be listed
   under another "clause", i.e. indented, or whether it should be
   on the outermost level in unbound.conf.  My current attempt
   has it at the outermost level, as shown above.

2) The manual page appears to make a distinction between what's
   called a "clause" (outermost level?), such as "server:", and
   what's referred to as "options" (to be found under a specific
   "clause"(?)).  However, the wording on this in general and
   wrt. "auth-zone:" could be more unambigious and explicit.

3) The various options listed under the "server:" clause (and
   other clauses) are not alphabetically sorted, which makes
   finding a given option quickly quite difficult, given the size
   of the man page.  Yes, I can search, but then the context of
   "under which clause am I now looking" gets lost.

Given some clarification from the maintainers, I can probably
engage in crafting a reshuffling of the unbound.conf content and
to add some words of clarification.

I am left wondering why my auth-zone: configuration section is
apparently both being acted on (ref. list_auth_zones output), and
simultaneously ignored (ref. the list_local_zones output and the
"dig" query), and I suspect it's the "local zones" version of the
resolver.arpa zone which is still being served up to clients,
despite my best attempts at overriding the "local zone" with a
separate authoritative zone of my own.  And, yes, I have done a
full restart of unbound, with no scary warnings in syslog.

So ... "help!"

Regards,

- Håvard

More information about the Unbound-users mailing list