Unbound does not forward query to NSD

François_RONVAUX · March 24, 2021, 10:33pm

Hello,

I have a server running both NSD and Unbound.

The problem is that Unbound does not seem to redirect the queries for “mydomain.net” to NSD as it should.

NSD listening interface : “ip_address_ns1” (this is the external interface facing Internet)
NSD master authoritative zone : “mydomain.net”
NSD master server of the zone : “ns1.mydomain.net”

Unbound config file.

Tom_Hendrikx · March 25, 2021, 9:25am

Hi,

In your exmaple, dig will do the recursion by itself. To test your unbound setup, you'll need to send a "dig mydomain.net" to your unbound server, and then check the unbound logs for the route taken.

Kind regards,
Tom

François_RONVAUX · March 25, 2021, 3:14pm

Hello Tom,

Thanks for your reply.

This is what I get after restarting Unbound with “verbosity: 3” settings…

root@ns1 [14:53:10]:/var/log$ dig mydomain.net

root@ns1 [14:53:10]:/var/log$ tail -f daemon
Mar 25 14:53:10 ns1 unbound: [84765:0] notice: init module 0: validator
Mar 25 14:53:10 ns1 unbound: [84765:0] notice: init module 1: iterator
Mar 25 14:53:10 ns1 unbound: [84765:0] info: DelegationPoint<mydomain.net.>: 0 names (0 missing), 2 addrs (0 result, 2 avail) parentNS
Mar 25 14:53:10 ns1 unbound: [84765:0] info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26 avail) parentNS
Mar 25 14:53:10 ns1 unbound: [84765:0] info: start of service (unbound 1.11.0).
Mar 25 14:54:20 ns1 unbound: [84765:0] query: 127.0.0.1 mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: resolving mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: processQueryTargets: mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: sending query: mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: iterator operate: query mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: response for mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: reply from <mydomain.net.> ip_address_ns2#53
Mar 25 14:54:20 ns1 unbound: [84765:0] info: query response was ANSWER
Mar 25 14:54:20 ns1 unbound: [84765:0] info: finishing processing for mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: prime trust anchor
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query . DNSKEY IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: resolving . DNSKEY IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: priming . IN NS
Mar 25 14:54:20 ns1 unbound: [84765:0] info: iterator operate: query . NS IN

[…]
around 1k lines of queries and answers !
[…]

Mar 25 14:54:20 ns1 unbound: [84765:0] info: response for mydomain.net. DS IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: reply from <net.> 192.31.80.30#53
Mar 25 14:54:20 ns1 unbound: [84765:0] info: query response was nodata ANSWER
Mar 25 14:54:20 ns1 unbound: [84765:0] info: finishing processing for mydomain.net. DS IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query mydomain.net. DS IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: NSEC3s for the referral proved no DS.
Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query mydomain.net. A IN
Mar 25 14:54:20 ns1 unbound: [84765:0] info: Verified that unsigned response is INSECURE
Mar 25 14:54:20 ns1 unbound: [84765:0] reply: 127.0.0.1 mydomain.net. A IN NOERROR 0.195477 0 57

So it seems that the NSD server (ns2.mydomain.net) is queried first but the query still goes up to the root DNS.

hdais · March 25, 2021, 4:29pm

Hi,

Regardless of forwarder statements, Unbound tries to verify DNSSEC
"chain of trust" root -> net->mydomain.net" generating queries to
these nameservers.
If this is not desired, mark "insecure" on the target domain.

François_RONVAUX · March 25, 2021, 5:54pm

Daisuke,

The domain has currently no DNSSEC records.

You are right.
With the “domain-insecure” setting, the query is not forwarded anymore outside the server.

root@ns1 [18:45:34]:/var/unbound/etc$ rcctl restart unbound && tail -f /var/log/daemon
notice: init module 0: validator
notice: init module 1: iterator
info: DelegationPoint<mydomain.net.>: 0 names (0 missing), 2 addrs (0 result, 2 avail) parentNS
info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26 avail) parentNS
info: start of service (unbound 1.11.0).
query: 127.0.0.1 mydomain.net. A IN
info: validator operate: query mydomain.net. A IN
info: resolving mydomain.net. A IN
info: processQueryTargets: mydomain.net. A IN
info: sending query: mydomain.net. A IN
info: iterator operate: query mydomain.net. A IN
info: response for mydomain.net. A IN
info: reply from <mydomain.net.> ip_address_ns1#53
info: query response was ANSWER
info: finishing processing for mydomain.net. A IN
info: validator operate: query mydomain.net. A IN
reply: 127.0.0.1 mydomain.net. A IN NOERROR 0.002583 0 57

Thanks for your suggestion !