On 2025-12-20, [email protected] <[email protected]> wrote: > My primary unbound forwards everything, mostly to public dns resolvers. > But some sub-domains I need to do recursive resolution directly (ex: RBLs). > So I run a second unbound instance for that purpose and the primary unbound > forwards those sub-domains to the second unbound instance for resolution. > > "forward-first: yes" says it'll fall back to normal recursive resolution if > forwarding fails. No it doesn't it'll fall back to the next best matching > forwarder: (if defined). All the forwarders would have to fail and all > would have to have "forward-first: yes" before normal recursive resolution > would occur. Would be nice if forwarders allowed exceptions like some of > the other features in unbound have.
I see that too. That sounds like a bug, I don't see anything in docs suggesting that a forwarder failure in one forward-zone should fallback to a less specific forward-zone (i.e. "."). If that worked, you could probably just set forward-addr to a bogus value like 0.0.0.0 and use forward-first (though an explicit "do not use forwarder" config would be nicer). -- Please keep replies on the mailing list.
