I see. Thanks for that. Is it possible then to configure unbound to exclude dnssec validation for a local domains and do it for all external domains?
Regards, On Jul 25, 2022, at 8:12 PM, Hugo Salgado <hsalg...@vulcano.cl<mailto:hsalg...@vulcano.cl>> wrote: 192.18.1 is currently delegated, and it has an nsec covering it until 192.18.10. So it could happen that activating validation, unbound is doing aggressive nsec, and answers nxdomain. Hugo On July 25, 2022 8:38:51 PM GMT-04:00, Peter Fraser via Unbound-users <unbound-users@lists.nlnetlabs.nl<mailto:unbound-users@lists.nlnetlabs.nl>> wrote: Hi All, I would really appreciate some help with this strange problem I am having. I am running unbound 1.16.1 on FreeBSD 13.1 with NSD. I have only one strange problem. I have two subnets on my network, 192.18.1.0/24 and 192.168.2.0/24. All forward lookups on both subnets are fine but reverse lookups for the 192.18.1.0/24 subnet fails. I notice though that when auto-trust-anchor-file is disabled, it works. Not sure why since none of my zone records are signed anyway. The server that unbound is on has IP address is 192.18.1.12. This is my setup below. interface: 192.18.1.12 do-ip4: yes access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: 192.18.1.0/24 allow access-control: 192.168.2.0/24 allow auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" local-zone: "my_domain.net<http://my_domain.net>." nodefault local-zone: "168.192.in-addr.arpa." nodefault local-zone: "18.192.in-addr.arpa." nodefault stub-zone: name: "my_domain.net<http://my_domain.net>" stub-addr: 192.18.1.12@53000 stub-zone: name: "1.18.192.in-addr.arpa." stub-addr: 192.18.1.12@53000 stub-zone: name: "2.168.192.in-addr.arpa." stub-addr: 192.18.1.12@53000
