;; AUTHORITY SECTION:
. 3494 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2018020500 1800 900 604800 86400
The manage.intra zone is configured as local-zone on unbound.
I am able to query the manage.intra zone:
$ dig test.manage.intra.
;; ANSWER SECTION:
test.manage.intra. 60 IN A 10.1.0.99
What am I missing?
Unbound works by first checking local-zones, then cache, then performing
recursive lookup, that recursive lookup then uses the cache and sends
queries to upstream authority servers.
The localzones are a filter in front of all other stuff that unbound
does. Unbound wants to lookup manage.intra at the back, so it needs a
forward-zone or a stub-zone for that, somewhere where it can find the
information in manage.intra.
With (not yet released) authority zones you can do this, and configure
unbound to use that authority zone data as a proxy for upstream queries.
Instead of sending queries to upstream servers, it'll use that
authority data directly. I.e. it'll sit at the back, instead of as
local-zones at the front. There is also an option to put auth-zones at
the front. And another one to failover to normal internet queries on
validation failures (for RFC7706 root zone copies). If enabled as a
proxy for upstream queries, unbound would use it to answer queries there
but also CNAMEs pointing there.