local stubs not served when internet down
A. Schulze
sca at andreasschulze.de
Tue Jun 21 21:34:19 UTC 2016
Am 21.06.2016 um 19:23 schrieb Daisuke HIGASHI via Unbound-users:
> I guess that your unbound resolver is set to do DNSSEC validation.
>
> Unbound tries to verify chain of trust from root (.) to the resolving domain,
> even if the domain is a stub/forwarder zone. Obviously the validation fails
> when unbound can't reach root servers (or TLD servers) due to network outage.
sounds plausible.
> Possible workaround is to set negative trust anchor
> (domain-insecure) for the stub zone like this:
>
> server:
> auto-trust-anchor-file: "root.key" # DNSSEC validation enabled
> domain-insecure: "mydummylocaldomain.com"
> stub-zone:
> name: "mydummylocaldomain.com"
> stub-addr: 127.0.0.1 at 54
Even operating a root zone mirror (rfc7706) wouldn't help because second level domains could not be reached.
So if a network like to keep internal/own services running DNSSEC must be disabled (at all or by setting negative trust anchors)
Consequence to me: using DNSSEC *require* connectivity.
Am I right?
Andreas
More information about the Unbound-users
mailing list