Hey folks,

I am a bit baffled by the following problem and seek your advice.

I am on a LAN and 192.168.14.1/24 is running unbound
1.4.17-3+deb7u1. It is a recursive resolver, except that the zone
"gern" is forwarded to ::1 on the host, where nsd3 runs and resolves
them ("gern" is actually a 1:1 copy of gern.madduck.net, but I am
using the abbreviated zone internally).

This works just fine and all hosts on the LAN are happy.

I also have a laptop running unbound 1.4.22-2 (because I often need
to add local-zones and I have a few kvm instances on the host).
resolvconf configures unbound to use 192.168.14.1 as a forwarder,
and this also works just fine for all global domains, e.g.

% grep nameserver /etc/resolv.conf
nameserver 127.0.0.1

% host debian.org | wc -l
11

% ping -nc1 debian.org
PING debian.org (128.31.0.62) 56(84) bytes of data.
64 bytes from 128.31.0.62: icmp_seq=1 ttl=53 time=265 ms
[…]

For the purpose of solving the problem at hand, I have reduced the
config to only have one directive:

auto-trust-anchor-file: "/var/lib/unbound/root.key"

The problem is that any requests for the abbreviated "gern" zone
yield SERVFAIL.

% host julia.gern
Host julia.gern not found: 2(SERVFAIL)

but they work fine when addressed directly at the LAN DNS server:

% host julia.gern 192.168.14.1
julia.gern has address 192.168.14.2
julia.gern has IPv6 address 2001:a60:f0fb:0:9eb6:54ff:fe0b:e5e4

Do you have any idea why unbound is failing on the abbreviated zone
requests?

I fI remove the auto-trust-anchor-file config directive, it works,
so it seems this is DNSSEC-related (none of my zones are signed
yet). Can someone enlighten me and help em understand what's going
on?

What's the best way to solve this?

Thanks!