Hi, I’m kind of stuck with this problem. Hashicorp's consul doesn’t support DNSSEC and as such, I can’t forward from my main bind instance (DNSSEC enabled) to the consul daemon directly. I can’t turn off DNSSEC in the bind instance either.
Instead, my naive plan is to: Instruct bind to forward requests for the consul domain to unbound. They can use DNSSEC for this step. Once unbound receives the request from bind, instruct unbound to forward it further to consul (no DNSSEC). Retrieve the answer from consul and give it back to bind. Basically, I want to hide a DNS server (consul) that can’t speak DNSSEC behind unbound. Is that possible? Thanks! Sergei
