Greetings,
I've got a resolve server setup, using OpenBSD, unbound, and nsd. (hence the crosspost)
The setup is as follows;
unbound is listening on a loopback interface, lo1, using an address that
is anycast, let's call it 192.0.2.53/32. This address is configured as
resolver in clients. This works.
However, this particular machine is slated to go walkabout in a travel
kit to a place where it might lose its connection. We still want it to
work and keep on serving names, since some resources will be local.
Therefore, we've got a nsd instance running on the same host. The nsd is
slaving a number of the important zones we need off of the normal servers,
and we intend to use stub/forward in unbound to prefer this instance --
a lot of firewalling means we can't freely recurse from the root anyway,
so such a setup is required regardless. We're forwarding to a pair of
DMZ resolver hosts for external names, and to internal name servers for
our own stuff.
I initially tried to make nsd listen on 127.0.0.53 using an extra
loopback interface (in contrast to a statement by a PFY working at a
Swedish ISP back in the dotcom bubble days, we feel that we can afford
loopback interfaces... True story.) and it works. Half-way. I can dig
@127.0.0.53 and get excellent answers back. But unbound refuses to use
the address, and returns SERVFAIL. As soon as I make nsd listen on a
physical interface on the host and change the unbound config accordingly
so that it points to that address for forwarding/stub address, things
start working.
Is this an issue in unbound or OpenBSD (5.9)?
Bonus question: Forward or Stub? I never really got through to understand
the differences 
Thanks for any pointers in this.