Maintained by: NLnet Labs

Unbound does not honor forwarder DNSSEC verification?

Paul Wouters
Tue Mar 1 06:44:26 CET 2016

On Mon, 29 Feb 2016, la9k3 via Unbound-users wrote:

> Is there a way to make unbound honor my forwarder's dnssec validation?
> For example, I use unbound as a caching forwarder and have "." set as a
> forwarding zone that forwards everything to Google's public DNS
> (
> However, when I test dnssec, I get a valid reply from servers such
> as This doesn't happen if I use Google's DNS as
> my normal resolver, in which case I get a SERVFAIL response.

That works fo me:

paul at bofh:~$ sudo service unbound restart
Redirecting to /bin/systemctl restart  unbound.service
paul at bofh:~$ sudo unbound-control list_forwards
paul at bofh:~$ sudo unbound-control forward_add .
paul at bofh:~$ cat /etc/resolv.conf 
# Generated by NetworkManager
paul at bofh:~$ dig +dnssec

; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14945
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;		IN	A

;; Query time: 490 msec
;; WHEN: Tue Mar 01 00:43:08 EST 2016
;; MSG SIZE  rcvd: 50

paul at bofh:~$