I'm using unbound 1.18.0 as included in OpenBSD 7.4 to provide recursive dns, and configured it with auth-zone to speed up lookups and changes. it works just fine with this config:
auth-zone: name: "example.network" primary: ns.example.org allow-notify: 2001:db8::53 # raw IP of ns.example.org allow-notify: ns.example.org fallback-enabled: yes for-downstream: no for-upstream: yes Specifically, primary uses the hostname to lookup the correct IPs to do the AXFR from. However, when I try to switch it to use DNS-over-TLS for AXFR, it fails: auth-zone: name: "example.network" primary: ns.example.org@853#ns.example.org allow-notify: 2001:db8::53 # raw IP of ns.example.org allow-notify: ns.example.org fallback-enabled: yes for-downstream: no for-upstream: yes I get this message in syslog, unbound: [76439:0] error: example.network.: failed lookup, cannot probe to master ns.example.org@853#ns.example.org But when I change primary to primary: 2001:db8::53@853#ns.example.org everything works fine. Is this intentional? -- If this fortune didn't exist, somebody would have invented it.