The issue may not related to bug #681. Unbound always forwards query with CD=1 to forwarder, so Unbound doesn't honor forwarder DNSSEC verification (I forgot it!)
So if you disabled DNSSEC validation you will get "insecure" answer. If you want SERVFAIL for www.dnssec-failed.org you have to enable DNSSEC validation. 2016-03-01 20:47 GMT+09:00 Daisuke HIGASHI <[email protected]>: > Hi, > > Please show us "how to repeat" such as your unbound configuration > or procedure to see the problem... > > Possible bug (feature?) concern the issue is [1]. > > In Unbound-1.5.4 and older, "unbound-control forward_add . 8.8.8.8" > adds forwarder with "forward-first: yes" > It makes Unbound to retry recursion by itself if 8.8.8.8 returns SERVFAIL. > > [1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=681 > > > 2016-03-01 12:12 GMT+09:00 la9k3 via Unbound-users > <[email protected]>: >> Hi, I have been looking online for some time try to fix this problem, >> hopefully >> this is the right last resort place. >> >> Is there a way to make unbound honor my forwarder's dnssec validation? >> >> For example, I use unbound as a caching forwarder and have "." set as a >> forwarding zone that forwards everything to Google's public DNS >> (8.8.8.8). >> >> However, when I test dnssec, I get a valid reply from servers such >> as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as >> my normal resolver, in which case I get a SERVFAIL response. >> >> Is this possible? I have trouble understanding why unbound would give a >> valid reply, whereas the forwarder server, when queried directly, returns a >> SERVFAIL >> empty answer. >> >> Thanks
