Maintained by: NLnet Labs

[Unbound-users] Forward first behavior when validation fails

Paul Wouters
Mon Jul 16 16:04:17 CEST 2012

On Mon, 16 Jul 2012, Ondřej Caletka wrote:

> It would be nice if unbound would be able to fallback to direct
> recursion if forwarded data fails to validate. Using external solution
> like dnssec-trigger cannot solve the problem well, since there are so
> many affected resolvers out there, so dnnsec-trigger would fall back to
> some tunneling setup virtally all the time.

That's not my experience. Also, do you really want all the hotspot logic
within unbound? Those are much better done outside it, with
dnssec-trigger and/or network-manager (or others in other OSes)

> Using proper forward-first,
> it would be possible to use (even broken) forwarders most of the time,
> and switch to „full recursion mode“ only in case validation fails.

You underestimate the number of times direct port 53 access is blocked
when traveling.