The same thing does not work for me, can you try the configuration I provided in my previous email to Daisuke Higashi?
On Tue, Mar 01, 2016 at 12:44:26AM -0500, Paul Wouters wrote: > On Mon, 29 Feb 2016, la9k3 via Unbound-users wrote: > > > Is there a way to make unbound honor my forwarder's dnssec validation? > > > > For example, I use unbound as a caching forwarder and have "." set as a > > forwarding zone that forwards everything to Google's public DNS > > (8.8.8.8). > > > > However, when I test dnssec, I get a valid reply from servers such > > as www.dnssec-failed.org. This doesn't happen if I use Google's DNS as > > my normal resolver, in which case I get a SERVFAIL response. > > That works fo me: > > paul@bofh:~$ sudo service unbound restart > Redirecting to /bin/systemctl restart unbound.service > paul@bofh:~$ sudo unbound-control list_forwards > paul@bofh:~$ sudo unbound-control forward_add . 8.8.8.8 > ok > paul@bofh:~$ cat /etc/resolv.conf > # Generated by NetworkManager > search nohats.ca > nameserver 127.0.0.1 > paul@bofh:~$ dig +dnssec www.dnssec-failed.org > > ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> +dnssec > www.dnssec-failed.org > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14945 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;www.dnssec-failed.org. IN A > > ;; Query time: 490 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Mar 01 00:43:08 EST 2016 > ;; MSG SIZE rcvd: 50 > > paul@bofh:~$ >
