Hey folks,
I am a bit baffled by the following problem and seek your advice.
I am on a LAN and 192.168.14.1/24 is running unbound
1.4.17-3+deb7u1. It is a recursive resolver, except that the zone
"gern" is forwarded to ::1 on the host, where nsd3 runs and resolves
them ("gern" is actually a 1:1 copy of gern.madduck.net, but I am
using the abbreviated zone internally).
This works just fine and all hosts on the LAN are happy.
I also have a laptop running unbound 1.4.22-2 (because I often need
to add local-zones and I have a few kvm instances on the host).
resolvconf configures unbound to use 192.168.14.1 as a forwarder,
and this also works just fine for all global domains, e.g.
% grep nameserver /etc/resolv.conf
nameserver 127.0.0.1
% host debian.org | wc -l
11
% ping -nc1 debian.org
PING debian.org (128.31.0.62) 56(84) bytes of data.
64 bytes from 128.31.0.62: icmp_seq=1 ttl=53 time=265 ms
[…]
For the purpose of solving the problem at hand, I have reduced the
config to only have one directive:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
The problem is that any requests for the abbreviated "gern" zone
yield SERVFAIL.
% host julia.gern
Host julia.gern not found: 2(SERVFAIL)
but they work fine when addressed directly at the LAN DNS server:
% host julia.gern 192.168.14.1
julia.gern has address 192.168.14.2
julia.gern has IPv6 address 2001:a60:f0fb:0:9eb6:54ff:fe0b:e5e4
Do you have any idea why unbound is failing on the abbreviated zone
requests?
I fI remove the auto-trust-anchor-file config directive, it works,
so it seems this is DNSSEC-related (none of my zones are signed
yet). Can someone enlighten me and help em understand what's going
on?
What's the best way to solve this?
Thanks!
