On 2025-12-22, [email protected] <[email protected]> wrote: > From "man unbound.conf" the prominent text is: > > " forward-first: <yes or no> > " If a forwarded query is met with a SERVFAIL error, and this option > " is enabled, Unbound will fall back to normal recursive resolution > " for this query as if no query forwarding had been specified. > " > " Default: no > > To me this is almost saying two different actions: > 1) fall back and do normal direct recursive resolution > 2) fall back for this query as if the forward-zone is not configured > > As much as I would like to see action 1, unbound responds with action 2.
I have checked with upstream and it is intended behaviour (though not helpful for this use case), they have now clarified this in docs. https://github.com/NLnetLabs/unbound/commit/09d352b91726a333242c608a6a90def4713ed214 > My solution thus far has been to use two unbound instances. I think that's what you need to do here (or use some alternative software). > I stop using bind years ago, not long after openbsd switch from bind to > unbound. > I'm curious but never looked to see how bind handles forwarding. > > But I'm not switching back to bind, unbound's local-data can do things I was > never able to figure out in bind. Back in the day I needed to redirect > "google.com" to "forcesafesearch.google.com" but let "*.google.com" resolve > normally, unbound made this trivial with local-data lines. Apparently BIND can handle this "forward by default but exempt some domain" setup (seems to be: configure "forwarders { 192.0.2.0 }" in the main section, then configure a zone with empty forwarders). Unbound can't, PowerDNS recursor can't (suggestion on their mailing list was to front-end with dnsdist).
