192.18.1 is currently delegated, and it has an nsec covering it until 192.18.10. So it could happen that activating validation, unbound is doing aggressive nsec, and answers nxdomain.
Hugo On July 25, 2022 8:38:51 PM GMT-04:00, Peter Fraser via Unbound-users <unbound-users@lists.nlnetlabs.nl> wrote: >Hi All, >I would really appreciate some help with this strange problem I am having. I >am running unbound 1.16.1 on FreeBSD 13.1 with NSD. I have only one strange >problem. I have two subnets on my network, 192.18.1.0/24 and 192.168.2.0/24. >All forward lookups on both subnets are fine but reverse lookups for the >192.18.1.0/24 subnet fails. I notice though that when auto-trust-anchor-file >is disabled, it works. Not sure why since none of my zone records are signed >anyway. > >The server that unbound is on has IP address is 192.18.1.12. This is my setup >below. > > >interface: 192.18.1.12 >do-ip4: yes >access-control: 0.0.0.0/0 refuse >access-control: 127.0.0.0/8 allow >access-control: 192.18.1.0/24 allow >access-control: 192.168.2.0/24 allow > >auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" >local-zone: "my_domain.net." nodefault >local-zone: "168.192.in-addr.arpa." nodefault >local-zone: "18.192.in-addr.arpa." nodefault > > >stub-zone: > name: "my_domain.net" > stub-addr: 192.18.1.12@53000 > >stub-zone: > name: "1.18.192.in-addr.arpa." > stub-addr: 192.18.1.12@53000 > >stub-zone: > name: "2.168.192.in-addr.arpa." > stub-addr: 192.18.1.12@53000 > >