Maintained by: NLnet Labs

unbound fetches DNS record from nsd but does not return it to client

Patrik Lundin
Mon Aug 3 18:50:35 CEST 2015

On Mon, Aug 03, 2015 at 12:42:00PM +0200, W.C.A. Wijngaards via Unbound-users wrote:
> I've fixed up the manual page and the example config file, and they
> now discuss configuring domain-insecure or local-zone nodefault for
> locally served zones.

Thank you for making the configuration information more explicit. I
believe what I have been missing is a hint at the "nodefault" description that
it only works for the exact zone names:

nodefault Used to turn off default contents for AS112 zones. The other
          types also turn off default contents for the zone. The
          'nodefault' option has no other effect than turning off
          default contents for the given zone.

Reading this it is not clear to me that "nodefault" only works for the exact
zones, and that I am supposed to use "transparent" if I configure for example.

Maby this is just me :).

Out of curiosity: what is the reason unbound does not work for the
original poster if domain-insecure is missing? The domain was
"data1.datanet.home", and since there is no DS record for "home" at ".", it
seems to me this would mean no further DNSSEC processing is necessary. What am
I missing?

> The configuration is like this because the access-control filter
> happens first (it is by IP address netblock).  Then the local-zone
> filter is applied (it is by domain name).  Then the DNS cache is used,
> the items are fed in there with the stub-zone clause.  The cache
> entries are also 'filtered' by DNSSEC validation and private-address
> removal.  And all of these components are separately configurable...

Sounds reasonable, thanks for the information :).

Patrik Lundin