Re: Unbound error with forward override and DNSSec

Fri, 25 Jun 2021 02:05:16 -0700 

Hi Laurent,

If your domain is DNSSEC signed then instead of 'domain-insecure:'
you need to specify the trust anchor for that domain like:
    trust-anchor: "office.domain.com. IN DNSKEY ..."
Also if 10.25.65.16 is the authoritative name server for that zone use 'stub-zone:' instead of 'forward-zone:'. The latter is supposed to forward to another resolver.
BTW I see in your log a completely different domain (office.domain.nc) which I don't know how it is supposed to be linked to your singed office.domain.com domain. 

Hope that helps,
-- George

On 25/06/2021 01:27, Laurent Dinclaux via Unbound-users wrote:

Hello,
I use Unbound with OPNsense. I have secured a domain with DNSSec, its DNS server being on the WAN. It has an office.domain.com <http://office.domain.com> subdomain (A record)
I also have a local DNS server where that subdomain is set, so it resolves locally to local IPs. So I am adding a domain override in Unbound as such, which is as such in the configuration: 

private-domain: "office.domain.com <http://office.domain.com>"
domain-insecure: "office.domain.com <http://office.domain.com>"

forward-zone:
    name: "office.domain.com <http://office.domain.com>"
    forward-addr: 10.25.65.16

And I get this error in Unbound:
|2021-06-23T20:57:39unbound[60568][60568:1] info: NSEC3s for the referral proved no delegation 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving office.domain.nc <http://office.domain.nc>. DS IN 
2021-06-23T20:57:39unbound[60568][60568:1] info: query response was ANSWER
2021-06-23T20:57:39unbound[60568][60568:1] info: reply from <office.domain.nc <http://office.domain.nc>.> 10.25.65.16#53 2021-06-23T20:57:39unbound[60568][60568:1] info: response for office.domain.nc <http://office.domain.nc>. A IN 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving office.domain.nc <http://office.domain.nc>. A IN|
I understand that error. If I disable the DNSSec feature in unbound, it works.
But I am wondering if there is anyway to work around that (without disabling DNSSec checking), and have unbound give back the ANSWER returned by that local DNS server ? 

Regards
--
Laurent
[email protected] <mailto:[email protected]>

Reply via email to