# unbound DNSSEC verification with forwarder

## totony

Hi, I'm having trouble making unbound honor the DNSSEC verification of my forwarder.

I use unbound as a local caching forwarder, and my forwarder does DNSSEC validation for me.

When I simply put e.g. 8.8.8.8 (Google's DNS) in /etc/resolv.conf or if I do "dig @8.8.8.8 www.dnssec-failed.org", I see no reply and the status of the DNS reply is set to SERVFAIL due to invalid dnssec validation.

When I change resolv.conf to my local unbound instance, it forwards data to 8.8.8.8, but I receive a normal reply from www.dnssec-failed.org. Is there any way to make unbound send back the reply I get from dig @8.8.8.8 ?

unbound.conf

```
server:

   cache-min-ttl: 60

   access-control: 127.0.0.1 allow

   access-control: ::1 allow

   interface: 127.0.0.1

   interface: ::1

   port: 53

   

   chroot: "/etc/unbound"

   username: "unbound"

   

   logfile: "unbound.log"

   module-config: "iterator"

   

   forward-zone:

      name: "."

      forward-addr:8.8.8.8
```

dig www.dnssec-failed.org

```
; <<>> DiG 9.10.3-P2 <<>> www.dnssec-failed.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17362

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.dnssec-failed.org.      IN   A

;; ANSWER SECTION:

www.dnssec-failed.org.   6299   IN   A   69.252.193.191

www.dnssec-failed.org.   6299   IN   A   68.87.109.242

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Mon Feb 29 01:21:54 EST 2016

;; MSG SIZE  rcvd: 82
```

dig @8.8.8.8 www.dnssec-failed.org

```
; <<>> DiG 9.10.3-P2 <<>> @8.8.8.8 www.dnssec-failed.org

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60429

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;www.dnssec-failed.org.      IN   A

;; Query time: 167 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Mon Feb 29 01:22:55 EST 2016

;; MSG SIZE  rcvd: 50
```

----------

