<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div><div class=""><br class=""></div></div></div></div></div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 6 May 2021, at 10:43, Renaud Allard via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl" class="">unbound-users@lists.nlnetlabs.nl</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><br class=""><br class="">On 5/5/21 8:50 PM, Gerben Wierda via Unbound-users wrote:<br class=""><blockquote type="cite" class="">I have tested additionally on a separate test machine with unbound 1.13.1 with logging set to 4<br class="">Same problem. I also noticed there are TCP errors, but I have do-tcp set to no.<br class=""></blockquote><br class="">The domain you are testing uses DNSSEC with RSASHA256, you should probably enable do-tcp.<br class=""></div></div></blockquote><br class=""></div><div>And that solved it. NAT, FW etc was not the issue. Turning do-tcp on makes resolving this domain work.</div><br class=""><div class="">Ah. I was under the impression that I could have a setup that doesn’t do TCP at all, but it seems that these days, TCP is a requirement.</div><div class=""><br class=""></div><div class="">Basically, do-tcp must be a yes to be able to resolve the entire internet. do-tcp: no means some names will not resolve. And this will become worse over time. Setting do-tcp to no might come with a decent warning, then.</div><div class=""><br class=""></div><div class="">Thanks, all.</div><div class=""><br class=""></div><div class="">G</div></body></html>