Maintained by: NLnet Labs

Unbound does not honor forwarder DNSSEC verification?

Tue Mar 1 13:16:33 CET 2016

The issue may not related to bug #681.

Unbound always forwards query with CD=1 to forwarder,
so Unbound doesn't honor forwarder DNSSEC verification (I forgot it!)

So if you disabled DNSSEC validation you will get "insecure" answer.
If you want SERVFAIL for  you have to enable
DNSSEC validation.

2016-03-01 20:47 GMT+09:00 Daisuke HIGASHI <daisuke.higashi at>:
> Hi,
> Please show us "how to repeat" such as your unbound configuration
> or procedure to see the problem...
> Possible bug (feature?) concern the issue is [1].
> In Unbound-1.5.4 and older, "unbound-control forward_add ."
> adds forwarder with "forward-first: yes"
> It makes Unbound to retry recursion by itself if returns SERVFAIL.
> [1]
> 2016-03-01 12:12 GMT+09:00 la9k3 via Unbound-users <unbound-users at>:
>> Hi, I have been looking online for some time try to fix this problem, hopefully
>> this is the right last resort place.
>> Is there a way to make unbound honor my forwarder's dnssec validation?
>> For example, I use unbound as a caching forwarder and have "." set as a
>> forwarding zone that forwards everything to Google's public DNS
>> (
>> However, when I test dnssec, I get a valid reply from servers such
>> as This doesn't happen if I use Google's DNS as
>> my normal resolver, in which case I get a SERVFAIL response.
>> Is this possible? I have trouble understanding why unbound would give a
>> valid reply, whereas the forwarder server, when queried directly, returns a SERVFAIL
>> empty answer.
>> Thanks