stub resolver (lwresd?)

Graham Clinch g.clinch at
Sun Apr 17 23:20:56 UTC 2016

I'm trying to settle on a (Linux) caching stub resolver configuration 
and looking at lwresd, but it's not working as I expect for validation.

Given an lwresd.conf of:

options {
   forwarders {; };
   forward only;
   dnssec-enable yes;
   dnssec-validation auto;
lwres {};

Clients (via libnss-lwres) can unexpectedly resolve  The forwarder ( is a validating 
bind instance, but lwresd is sending queries with the CD flag set, 
though it then doesn't follow up by doing any validation locally.  I can 
force lwresd to not set the CD flag with an additional:

server {
   edns no;

and then the SERVFAIL for from the bind instance does 
propagate down to the client, but this all feels a bit guess-worky.

I'd really appreciate any input from people who have deployed lwresd or 
a different stub resolver.  From scraping around the web, I detect that 
lwresd isn't widely used.  Should I just use 'full' named everywhere? 
systemd-resolved makes too many assumptions to be in with much of a 
chance, and nscd holds unhappy memories.


More information about the bind-users mailing list