Unbound does not forward query to NSD
François RONVAUX
francois.ronvaux at gmail.com
Thu Mar 25 17:54:57 UTC 2021
Daisuke,
The domain has currently no DNSSEC records.
You are right.
With the "domain-insecure" setting, the query is not forwarded anymore
outside the server.
root at ns1 [18:45:34]:/var/unbound/etc$ rcctl restart unbound && tail -f
/var/log/daemon
notice: init module 0: validator
notice: init module 1: iterator
info: DelegationPoint<mydomain.net.>: 0 names (0 missing), 2 addrs (0
result, 2 avail) parentNS
info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26
avail) parentNS
info: start of service (unbound 1.11.0).
query: 127.0.0.1 mydomain.net. A IN
info: validator operate: query mydomain.net. A IN
info: resolving mydomain.net. A IN
info: processQueryTargets: mydomain.net. A IN
info: sending query: mydomain.net. A IN
info: iterator operate: query mydomain.net. A IN
info: response for mydomain.net. A IN
info: reply from <mydomain.net.> ip_address_ns1#53
info: query response was ANSWER
info: finishing processing for mydomain.net. A IN
info: validator operate: query mydomain.net. A IN
reply: 127.0.0.1 mydomain.net. A IN NOERROR 0.002583 0 57
Thanks for your suggestion !
Le jeu. 25 mars 2021 à 17:29, Daisuke HIGASHI <daisuke.higashi at gmail.com> a
écrit :
> Hi,
>
> Regardless of forwarder statements, Unbound tries to verify DNSSEC
> "chain of trust" root -> net->mydomain.net" generating queries to
> these nameservers.
> If this is not desired, mark "insecure" on the target domain.
>
> ----
> domain-insecure: "mydomain.net" ***
> forward-zone:
> name: "mydomain.net"
> forward-addr: ip_address_ns1
> ----
>
> or if you have mydomain.net's real DNSSEC trust anchor, set it ?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210325/8962d7cc/attachment.htm>
More information about the Unbound-users
mailing list