Maintained by: NLnet Labs

[Unbound-users] Problem resolving private domains

lst_hoe02 at
Mon Oct 25 20:19:00 CEST 2010

Zitat von "W.C.A. Wijngaards" <wouter at>:

> Hash: SHA1
> Hi Andreas,
> On 10/25/2010 04:37 PM, lst_hoe02 at wrote:
>> Zitat von lst_hoe02 at
>>> Sorry, forgot the first question. The "private-address:" is not set at
>>> all, so Unbound should not stripe anything i guess?
>> May it be related to the fact that the .cz TLD is DNSSEC signed and the
>> .de not? Both subdomains don't use DNSSEC until now and have no trust
>> chain but that's the only difference i came up with...
> Yes if your own domain is not signed, then you must give:
> 	domain-insecure: ""
> So that unbound understands that there is no DS record published in .cz
> for

Okay, with "domain-insecure:" it works. But it strikes me  
odd why the is different from Unbound point of  
view then any other .cz domain? After all Unbound does forward all  
queries anyway to the upstream Bind. I guess it is best to list all  
private domains also as insecure domain in case the TLDs will be  
signed some day.

Many Thanks