I ran into this before and found out that using 127.0.0.0/8 will not work. I assigned 10.0.0.1 as a virtual address on eth0 and that did the trick. I then set my rbldnsd daemon to listen on 10.0.0.1 In unbound.conf I have forward-zone: name: "blacklist.rbl" forward-addr: 10.0.0.1 Obviously, your context is different but the general rule applies. Unbound will not query forward zones on 127.0.0.0. Use another IP address. Either the public IP of the host NSD is running on, or a RFC1918 address. Hope this helps, Patrick Vande Walle martin f krafft wrote: > Hi, > > I am trying to get unbound, bound to eth0, to forward queries for > local zones to nsd running on 127.0.0.1. > > nsd works authoritatively, I have verified this with dig. > > Also, when I use pdns-recursor to forward to nsd, it all works. > > However, with unbound, I get SERVFAIL from unbound, which reports: > > unbound: [1269:0] info: processQueryTargets: <local.zone. NS IN> > unbound: [1269:0] debug: out of query targets -- returning SERVFAIL > > in the logs. My configuration is as follows. What could be the > problem? > > server: > verbosity: 1 > interface: 192.168.14.1 > cache-max-ttl: 1800 > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: 192.168.14.0/24 allow > chroot: "" > do-not-query-localhost: no > stub-zone: > name: "local.zone" > stub-addr: 127.0.0.1 > > I have tried > > (a) forward-zone for local.zone and . > (b) stub-zone for local.zone and forward-zone for . > (c) only stub-zone for local.zone and root-hints for . > (d) only forward-zone for local.zone and root-hints for . > (e)/(f) like (c)/(d) without explicit root-hints > > but in none of these cases could I make it work. > > Any clues?