Unbound error with forward override and DNSSec

Unbound
1

Hello,

I use Unbound with OPNsense. I have secured a domain with DNSSec, its DNS server being on the WAN. It has an office.domain.com subdomain (A record)

I also have a local DNS server where that subdomain is set, so it resolves locally to local IPs. So I am adding a domain override in Unbound as such, which is as such in the configuration:

private-domain: “office.domain.com
domain-insecure: “office.domain.com

forward-zone:
name: “office.domain.com
forward-addr: 10.25.65.16

And I get this error in Unbound:

2021-06-23T20:57:39	unbound[60568]	[60568:1] info: NSEC3s for the referral proved no delegation	 
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: resolving [office.domain.nc](http://office.domain.nc). DS IN	 
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: query response was ANSWER	 
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: reply from <[office.domain.nc](http://office.domain.nc).> 10.25.65.16#53	 
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: response for [office.domain.nc](http://office.domain.nc). A IN	 
2021-06-23T20:57:39	unbound[60568]	[60568:1] info: resolving [office.domain.nc](http://office.domain.nc). A IN

I understand that error. If I disable the DNSSec feature in unbound, it works.

But I am wondering if there is anyway to work around that (without disabling DNSSec checking), and have unbound give back the ANSWER returned by that local DNS server ?

Regards

2

Hi Laurent,

If your domain is DNSSEC signed then instead of 'domain-insecure:'
you need to specify the trust anchor for that domain like:
     trust-anchor: "office.domain.com. IN DNSKEY ..."

Also if 10.25.65.16 is the authoritative name server for that zone use 'stub-zone:' instead of 'forward-zone:'. The latter is supposed to forward to another resolver.

BTW I see in your log a completely different domain (office.domain.nc) which I don't know how it is supposed to be linked to your singed office.domain.com domain.

Hope that helps,
-- George

3

Hello,

Thanks, I tried:

stub-zone:
name: “office.amnc.nc
stub-addr: 10.0.8.6
stub-first: yes

trust-anchor: “office.amnc.nc. IN DNSKEY 50076 10 1 [obfuscated key]”

But I get “fatal error: could not read config file”

4

Hi Laurent,

I suppose you ran unbound-control to try and reload the file.
You can run:
  unbound-checkconf
to see what is wrong with your configuration file.

If that produces no errors then maybe you have chroot enabled and the configuration file is outside of the chroot? If so, stopping and starting Unbound should work. You could also move the configuration file in the chroot if that is an option.

BTW the option 'trust-anchor:' is an option for the 'server:' section, not the 'stub-zone:' section.

Also your DNSKEY record seems weird.
This needs to be the same record as you get when querying for:
  office.amnc.nc. DNSKEY
with either 'dig' or 'drill'.
That means the public key as it is supposed to be published in the zone.

Best regards,
-- George