<div dir="ltr"><div dir="ltr"><div dir="ltr">> Can you try with unbound having direct<br>> unfiltered port 53 to the internet?<br></div><div dir="ltr"><br></div><div>Yes, that was my scenario: public IP with no filter (I'm going to enable iptables later) trying to discover the solution.</div><div><br></div><div>Like Anand said, I misconfigured "do-tcp: no" and that was the reason of .org resolution failing.</div><div><br></div><div>Thanks again :-D</div></div></div><br><div class="gmail_quote"><div dir="ltr">Em seg, 10 de set de 2018 às 16:39, Paulo Roberto Tomasi <<a href="mailto:pztomasi@gmail.com">pztomasi@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr">Thank you very much! <br><div><br></div><div>Now <a href="https://www.rootcanary.org/test.html" target="_blank">https://www.rootcanary.org/test.html</a> shows me green padlocks.</div><div><br></div><div>:-D<br></div></div></div><br><div class="gmail_quote"><div dir="ltr">Em seg, 10 de set de 2018 às 16:26, Anand Buddhdev <<a href="mailto:anandb@ripe.net" target="_blank">anandb@ripe.net</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote:<br>
<br>
Hi Paulo,<br>
<br>
> do-tcp: no<br>
<br>
Don't disable TCP. TCP is *required* for proper operation of DNS,<br>
especially if you want to do DNSSEC validation. Many of the signed<br>
responses can be large. For example, the DNSKEY response for .ORG is<br>
1625 bytes, and sometimes TCP is required in order to retrieve such<br>
large responses. Disabling TCP can cause DNSSEC validation to fail.<br>
<br>
Regards,<br>
Anand<br>
</blockquote></div>
</blockquote></div>