Maintained by: NLnet Labs

[Unbound-users] Servers for local zones that are not signed

Eugene Crosser
Fri Jul 6 15:13:22 CEST 2012

On 07/06/2012 04:45 PM, W.C.A. Wijngaards wrote:

>>>> So unbound asks dnsmasq for the address of "myhost.lan" as it
>>>> is instructed by forward-zone, gets correct result (!), but
>>>> then marks it bogus because it cannot establish trust chain.
>>> You'll need
>>> private-domain: "lan." domain-insecure: "lan."
>> Wow, that was fast! After also adding "do-not-query-localhost: no"
>> (and 'local-zone: "" nodefault' for the reverse
>> zone) it all worked!
>> Thanks a lot!
>> Any chance to make these sort of tricks more apparent in the
>> documentation?
> Where in the documentation have you been looking, i.e. does it make
> sense to add some text to help out?

I was reading unbound.conf(5) because there is no relevant doc in the Guides
section. I'd say, a separate "HowTo Configure Forward For Local Zones" document
would be ideal for my particular case. Or, spray hints in the unbound.conf
manpage like so:

- In the description of "forward-zone" and "stub-zone" mention that:
 + if this is a local zone that does not have a DS in the parent zone, you must
list the name as "domain-insecure",
 + if it may contain private addresses, then also in "private-domain"
 + if it is a reverse zone for private address range, the zone needs to be
configured "local-zone: <> nodefault"
- In the description of "forward-addr" note that if you specify loopback address
you should also add "do-not-query-localhost: no"

I think a separate HowTo might be better because this is a relatively common
setup, so many would benefit, and on the other hand the manpage is rather long
and dense already. I could knock up a short doc, shall I try?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
URL: <>