interaction of validation and local stubs and forwarders
Måns Nilsson
mansaxel at besserwisser.org
Thu Jan 8 13:56:44 UTC 2026
Greetings,
Is it a recommended solution to have a local domain marked insecure
given the following setup?
server:
# se is signed, as we know
module-config: "validator iterator"
# namn.se is our local domain name.
private-domain: namn.se
unblock-lan-zones: yes
insecure-lan-zones: yes
stub-zone:
name: namn.se
# internal name servers
stub-addr: 192.0.2.53
stub-addr: 192.0.2.54
forward-zone:
name: "."
# these are also unbound, and they validate
forward-addr: 192.0.2.47
forward-addr: 192.0.2.11
The question is that _if_ the forward-addrs are unreachable
or unresponsive, a stiuation we've had, we have noticed
validation failures dependent on SE. for names in namn.SE.
Names which should have been completely found using the stub-
zone: directive. The log message is:
info: validation failure <some-host.namn.SE. A IN>: key for \
validation se. is marked as invalid because of a previous
This message is originated on line 1964 in validator/validator.c
in "processInit()" and the comment is "key is bad, chain is bad,
reply is bogus" which sort of fits.
As is usual, I probably have talked myself into believing I've
found the issue but I hope someone is able to refute or affirm
my beliefs..
/Måns
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE SA0XLR +46 705 989668
Now I'm having INSIPID THOUGHTS about the beatiful, round wives of
HOLLYWOOD MOVIE MOGULS encased in PLEXIGLASS CARS and being approached
by SMALL BOYS selling FRUIT ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20260108/64f5ee7d/attachment.bin>
More information about the Unbound-users
mailing list