Hey everyone,
im struggeling to get unbound to forward to my local nsd and to external hosts , it works when i have only one forward zone for my internal .testing records but when i put a forward-zone: name: “.” , it ignores my other forward-zone

I got the base conf from here:

https://jonwillia.ms/2018/09/23/anycast-dns-openbsd (github.com/bongozone/kibble)

I am running in it On openbsd 6.5 with unbound 1.9.1

Does anyone know how this could be done ? I have nsd running the zone records for .testing and it works when i only have the .testing forward-zone in the unbound.conf , does anyone know what im doing wrong ?

ns0# cat /var/unbound/etc/unbound.conf

$OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
interface: 127.0.0.1
#interface: ::1
do-ip6: no

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow

access-control: ::0/0 refuse
access-control: ::1 allow

hide-identity: yes
hide-version: yes

remote-control:
control-enable: yes
control-use-cert: no
control-interface: /var/run/unbound.sock

Use an upstream forwarder (recursive resolver) for specific zones.

Use an upstream forwarder (recursive resolver) for specific zones.

forward-zone:
name: “testing.”
forward-addr: 127.0.0.1@5353 # to nsd daemon

See the stub-zone option for this. Requests for authoritative servers wouldn’t be recursive like to a forwarder. You may even see as much in the nsd logs.

forward-addr: 127.0.0.1@5353

Unbound won’t send any query to localhost (127.0.0.1, ::1) by default. Add this to your configuration:

do-not-query-localhost: no

Latest version (yet released) of Unbound warns if forward-addr (stub-addr) points localhost.

https://github.com/NLnetLabs/unbound/commit/da46ea24d5aaa1b0261348fb2cc8a1f463bbdce4

Thank you, this solved the trick