Maintained by: NLnet Labs

[Unbound-users] stub vs. forward vs. redirect

W.C.A. Wijngaards
Thu Sep 17 12:35:13 CEST 2009

Hash: SHA1

Hi Tony,

On 09/14/2009 08:48 PM, Tony Finch wrote:
> We have a number of private zones on our site: a forward zone
>, and a number of reverse zones under
> Should I configure these as stub zones, forward zones, or redirect zones?

As stub zones.  Possibly set
local-zone: "" nodefault
so that unbound does not provide default blocking for the zone.

If you made them forward-zones, it would likely work as well, but if
there are CNAMEs then you probably want unbound to process the cname
chain chasing, as the other server is authoritative for these zones.

A redirect would work if you want to block access to those zones, and
return an answer to some 'redirect notify' page in all cases.

> At the moment is not signed but is. Does
> DNSSEC validation affect how I should configure these zones? Do I need to
> use the domain-indecure option?

Well, if does not exist in at all, Yes,
you need to use domain-insecure: "".

If has a delegation to then this turns
into a proper unsigned delegation and it works out of the box.

Best regards,
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -