This does sound like a bug for auth-zone then.
I don't have time to replicate atm but could you open an issue for it?

Also, is this NSEC or NSEC3?

Best regards,
-- Yorgos

On 11/11/2022 15:09, Michael Tokarev wrote:
11.11.2022 16:54, George (Yorgos) Thessalonikefs wrote:
Now I spot that this is auth-zone.

Yes it is auth-zone.  It is set up this way because it is a remote office with somewhat flaky connectivity and I thought about always having whole thing locally
instead of relying for the upstream during all the runtime.

Which version of Unbound is that?

It is 1.16.3 currently.  I thought about giving 1.17 a try, - upgraded to 1.17.0, with exactly the same effect. (It is Debian package of Unbound, - I'm trying to
keep it current in Debian).

I would first try with stub-zone instead and point to the NSD instance you mentioned.

The stub-zone works, it worked for many years (with not a best reliability, see above).  I just tested it again - switching from auth-zone to stub-zone with the
same stub-address works just fine.

It is only the auth-zone which dosn't work - I removed the temporary TXT record and
it started failing again.

Thanks!

/mjt

Reply via email to