Hi Laurent,
I suppose you ran unbound-control to try and reload the file.
You can run:
unbound-checkconf
to see what is wrong with your configuration file.
If that produces no errors then maybe you have chroot enabled and the
configuration file is outside of the chroot? If so, stopping and
starting Unbound should work. You could also move the configuration file
in the chroot if that is an option.
BTW the option 'trust-anchor:' is an option for the 'server:' section,
not the 'stub-zone:' section.
Also your DNSKEY record seems weird.
This needs to be the same record as you get when querying for:
office.amnc.nc. DNSKEY
with either 'dig' or 'drill'.
That means the public key as it is supposed to be published in the zone.
Best regards,
-- George
On 01/07/2021 08:52, Laurent Dinclaux wrote:
Hello,
Thanks, I tried:
stub-zone:
name: "office.amnc.nc <http://office.amnc.nc>"
stub-addr: 10.0.8.6
stub-first: yes
# trust-anchor: "office.amnc.nc <http://office.amnc.nc>. IN DNSKEY
50076 10 1 [obfuscated key]"
But I get "fatal error: could not read config file"
Le ven. 25 juin 2021 à 20:05, George Thessalonikefs via Unbound-users
<[email protected]
<mailto:[email protected]>> a écrit :
Hi Laurent,
If your domain is DNSSEC signed then instead of 'domain-insecure:'
you need to specify the trust anchor for that domain like:
trust-anchor: "office.domain.com <http://office.domain.com>.
IN DNSKEY ..."
Also if 10.25.65.16 is the authoritative name server for that zone use
'stub-zone:' instead of 'forward-zone:'. The latter is supposed to
forward to another resolver.
BTW I see in your log a completely different domain
(office.domain.nc <http://office.domain.nc>)
which I don't know how it is supposed to be linked to your singed
office.domain.com <http://office.domain.com> domain.
Hope that helps,
-- George
On 25/06/2021 01:27, Laurent Dinclaux via Unbound-users wrote:
> Hello,
>
> I use Unbound with OPNsense. I have secured a domain with DNSSec,
its
> DNS server being on the WAN. It has an office.domain.com
<http://office.domain.com>
> <http://office.domain.com <http://office.domain.com>> subdomain
(A record)
>
> I also have a local DNS server where that subdomain is set, so it
> resolves locally to local IPs. So I am adding a domain override in
> Unbound as such, which is as such in the configuration:
>
> private-domain: "office.domain.com <http://office.domain.com>
<http://office.domain.com <http://office.domain.com>>"
> domain-insecure: "office.domain.com <http://office.domain.com>
<http://office.domain.com <http://office.domain.com>>"
>
> forward-zone:
> name: "office.domain.com <http://office.domain.com>
<http://office.domain.com <http://office.domain.com>>"
> forward-addr: 10.25.65.16
>
> And I get this error in Unbound:
>
> |2021-06-23T20:57:39unbound[60568][60568:1] info: NSEC3s for the
> referral proved no delegation
> 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving
> office.domain.nc <http://office.domain.nc>
<http://office.domain.nc <http://office.domain.nc>>. DS IN
> 2021-06-23T20:57:39unbound[60568][60568:1] info: query response
was ANSWER
> 2021-06-23T20:57:39unbound[60568][60568:1] info: reply from
> <office.domain.nc <http://office.domain.nc>
<http://office.domain.nc <http://office.domain.nc>>.> 10.25.65.16#53
> 2021-06-23T20:57:39unbound[60568][60568:1] info: response for
> office.domain.nc <http://office.domain.nc>
<http://office.domain.nc <http://office.domain.nc>>. A IN
> 2021-06-23T20:57:39unbound[60568][60568:1] info: resolving
> office.domain.nc <http://office.domain.nc>
<http://office.domain.nc <http://office.domain.nc>>. A IN|
>
>
> I understand that error. If I disable the DNSSec feature in
unbound, it
> works.
>
> But I am wondering if there is anyway to work around that (without
> disabling DNSSec checking), and have unbound give back the ANSWER
> returned by that local DNS server ?
>
> Regards
> --
> Laurent
> [email protected] <mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
--
Laurent
[email protected] <mailto:[email protected]>
