On 2022-02-06, Laura Smith <[email protected]> wrote: > I have a local OpenBSD setup with NSD and Unbound. > > I'm seeing a weird problem where I am getting an NXDOMAIN (per below) on my > internal "bar.corp" domain. > > My unbound config is as follows. If I do the same dig query directly against > the stub resolvers, it works with no issue. > > server: > interface: 127.0.0.1 > # extra interface: entries removed for list post > # > do-ip6: yes > # > access-control: 0.0.0.0/0 refuse > access-control: ::0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: ::1 allow > access-control: 10.0.0.0/8 allow > # > hide-identity: yes > hide-version: yes > hide-version: yes > auto-trust-anchor-file: "/var/unbound/db/root.key" > prefetch: yes > prefetch-key: yes > rrset-roundrobin: yes > minimal-responses: yes > root-hints: "/var/unbound/db/named.root" > domain-insecure: "bar.corp"
Not sure but you might also need domain-insecure for "corp". If that's not it, it is probably best to ask on the unbound mailing list. > local-zone: "bar.corp" nodefault > local-zone: "use-application-dns.net" always_nxdomain > remote-control: > control-enable: yes > control-use-cert: no > control-interface: /var/run/unbound.sock > stub-zone: > name: "bar.corp" > stub-addr: 10.0.0.50 > stub-addr: 10.0.1.50 > > > ; <<>> DiG 9.16.22-Debian <<>> foo.bar.corp > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46113 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ;; QUESTION SECTION: > ;foo.bar.corp. IN A > > ;; AUTHORITY SECTION: > . 3501 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2022020600 1800 900 604800 86400 > > ;; Query time: 4 msec > ;; SERVER: <MY_UNBOUND_RESOLVER_IP> > ;; WHEN: Sun Feb 06 12:21:04 GMT 2022 > ;; MSG SIZE rcvd: 122 > > -- Please keep replies on the mailing list.
