<div dir="ltr"><div>Thanks for looking into this. I have added some other sites that also present this problem to the issue.</div><div><br></div><div>best,</div><div>hank<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 23, 2018 at 8:58 AM, Petr Špaček via Unbound-users <span dir="ltr"><<a href="mailto:unbound-users@unbound.net" target="_blank">unbound-users@unbound.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Hank,<br>
<br>
On 23/05/18 15:23, Hank Barta via Unbound-users wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all,<br>
I use pfsense for my firewall and have selected the unbound resolver for<br>
DNS on my home LAN. I have configured this to use Cloudflare DNS with<br>
DNSSEC enabled. In addition to checking the "Enable DNSSEC Support"<br>
checkbox on the DNS Resolver configuration page I have added the custom<br>
options<br>
</blockquote>
<br>
The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.<br>
And for an insecure referral it needs DS denial information for type DS,<br>
eg. the NSEC or NSEC3 from the .show TLD.<br>
<br>
Without the forward to 1.1.1.1 it works fine for me. So it doesn't seem<br>
to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME<br>
for qtype DS.<br>
<br>
A workaround is domain-insecure: "coder.show" in unbound.conf<br>
</blockquote>
<br></span>
This is most likely a bug in Knot Resolver and we are working on fix:<br>
<a href="https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359" rel="noreferrer" target="_blank">https://gitlab.labs.nic.cz/kno<wbr>t/knot-resolver/issues/359</a><span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Petr Špaček @ CZ.NIC<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">'03 BMW F650CS - hers<br>'98 Dakar K12RS - "BABY K" grew up.<br>'93 R100R w/ Velorex 700 (MBD starts...)<br>'95 Miata - "OUR LC"<br>polish visor: apply squashed bugs, rinse, repeat<br>Beautiful Sunny Winfield, Illinois</div>
</div>