<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 12 Jan 2020 at 14:30, Stephane Bortzmeyer <<a href="mailto:bortzmeyer@nic.fr">bortzmeyer@nic.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sun, Jan 12, 2020 at 02:20:24PM +0100,<br>
Erik Dobák <<a href="mailto:erik.dobak@gmail.com" target="_blank">erik.dobak@gmail.com</a>> wrote <br>
a message of 109 lines which said:<br>
<br>
> as i wrote other TLDs (.net .com and some country TLDs) resolved all<br>
> fine. for .org i tried <a href="http://debian.org" rel="noreferrer" target="_blank">debian.org</a> <a href="http://ietf.org" rel="noreferrer" target="_blank">ietf.org</a> <a href="http://gentoo.org" rel="noreferrer" target="_blank">gentoo.org</a> and maybe<br>
> some others with all failing.<br>
<br>
Then, I suggest to query directly the authoritative name servers of<br>
.org, to see if they are reachable. (If not, it's not Unbound's fault.)<br>
<br>
% dig @<a href="http://a0.org.afilias-nst.info" rel="noreferrer" target="_blank">a0.org.afilias-nst.info</a>. <a href="http://gentoo.org" rel="noreferrer" target="_blank">gentoo.org</a><br>
...<br>
;; AUTHORITY SECTION:<br>
<a href="http://gentoo.org" rel="noreferrer" target="_blank">gentoo.org</a>. 86400 IN NS <a href="http://ns1.gentoo.org" rel="noreferrer" target="_blank">ns1.gentoo.org</a>.<br>
<a href="http://gentoo.org" rel="noreferrer" target="_blank">gentoo.org</a>. 86400 IN NS <a href="http://ns2.gentoo.org" rel="noreferrer" target="_blank">ns2.gentoo.org</a>.<br>
<a href="http://gentoo.org" rel="noreferrer" target="_blank">gentoo.org</a>. 86400 IN NS <a href="http://ns3.gentoo.org" rel="noreferrer" target="_blank">ns3.gentoo.org</a>.<br>
...<br>
;; Query time: 246 msec<br>
;; SERVER: 2001:500:e::1#53(2001:500:e::1)<br>
;; WHEN: Sun Jan 12 14:28:22 CET 2020<br>
;; MSG SIZE rcvd: 408<br>
<br>
> so you say the message 'connection timed out; no servers could be reached'<br>
> from dig does not mean that my pc got trouble to connect the router but the<br>
> router got trouble to connect to root DNS servers?<br>
<br>
Or other authoritative name servers. Probably not the root since other<br>
TLDs work.<br>
<br>
When you query the resolver, it has to contact the authoritative name<br>
servers. May be dig timeouted before Unbound did. dig +timeout=30 to<br>
see if, giving more time, Unbound makes a decision (probably SERVFAIL,<br>
if there is a reachability problem)?<br>
<br>
> looks like something is killing my (or returning) packets filtered by the<br>
> presence of .org string.<br>
> MITM??? or who is now trying to screw .org??<br>
<br>
Let's search simple explanations first: a routing/reachability<br>
problem.<br>
<br>
> ps: i am using DNSSEC but AFAIK this does not mean the resolve requests are<br>
> encrypted...<br>
<br>
Indeed. DNSSEC signs but does not encrypt.<br></blockquote><div><br></div><span class="gmail-postbody">it is gone 20200113 20:49 UTC+1</span></div></div>