I'm running a new installation of 12.1-RELEASE and enabled local-unbound. The service works well, except I cannot query machines through the local-unbound to the resolver running elsewhere on my network. Those queries return SERVFAIL.
I'm running the configuration as it comes from the installer. My unbound.conf, forward.conf, and lan-zones seem correct:
And I can query the resolver directly:
But something is getting lost along the way:
I do occassionally see a message saying
Any ideas what's going wrong?
I'm running the configuration as it comes from the installer. My unbound.conf, forward.conf, and lan-zones seem correct:
Code:
> cat unbound.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key
# Setup logging
verbosity: 3
logfile: /var/unbound/unbound.log
log-queries: yes
include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
> cat lan-zones.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
# Unblock reverse lookups for LAN addresses
unblock-lan-zones: yes
insecure-lan-zones: yes
> cat forward.conf
# Generated by resolvconf
forward-zone:
name: "lan"
forward-addr: 10.0.32.1
forward-zone:
name: "."
forward-addr: 10.0.32.1
forward-addr: fd46:520f:9320::1And I can query the resolver directly:
Code:
> host artemis.lan 10.0.32.1
Using domain server:
Name: 10.0.32.1
Address: 10.0.32.1#53
Aliases:
artemis.lan has address 10.0.32.187But something is getting lost along the way:
Code:
[1598424534] local-unbound[64844:0] info: 127.0.0.1 artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new
[1598424534] local-unbound[64844:0] info: validator operate: query artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1598424534] local-unbound[64844:0] info: resolving artemis.lan. A IN
[1598424534] local-unbound[64844:0] info: processQueryTargets: artemis.lan. A IN
[1598424534] local-unbound[64844:0] info: sending query: artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: sending to target: <lan.> 10.0.32.1#53
[1598424534] local-unbound[64844:0] debug: cache memory msg=69864 rrset=75014 infra=8559 val=71327
[1598424534] local-unbound[64844:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
[1598424534] local-unbound[64844:0] info: iterator operate: query artemis.lan. A IN
[1598424534] local-unbound[64844:0] info: response for artemis.lan. A IN
[1598424534] local-unbound[64844:0] info: reply from <lan.> 10.0.32.1#53
[1598424534] local-unbound[64844:0] info: query response was ANSWER
[1598424534] local-unbound[64844:0] info: finishing processing for artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1598424534] local-unbound[64844:0] info: validator operate: query artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: cache memory msg=69864 rrset=75014 infra=8559 val=71327
[1598424534] local-unbound[64844:0] info: 127.0.0.1 artemis.lan.lan. A INI do occassionally see a message saying
[1598422075] local-unbound[64844:0] info: Could not establish a chain of trust to keys for lan. DNSKEY IN. My understanding is that setting unblock-lan-zones and insecure-lan-zones to yes would avoid DNSSEC issues on the local network.Any ideas what's going wrong?