Some sites not resolving (DNSSEC?)
Hank Barta
hbarta at gmail.com
Wed May 23 13:23:44 UTC 2018
Hi all,
I use pfsense for my firewall and have selected the unbound resolver for
DNS on my home LAN. I have configured this to use Cloudflare DNS with
DNSSEC enabled. In addition to checking the "Enable DNSSEC Support"
checkbox on the DNS Resolver configuration page I have added the custom
options
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1 at 853
forward-addr: 1.0.0.1 at 853
(full configuration at the link below.)
This generally seems to work except for several hosts from which I try to
fetch podcasts. One of these is coder.show. I have bumped logging for
unbound one level and collected the log for this host and which can be
viewed at
https://docs.google.com/document/d/1oPUpRzIdANfuUuU7ljXNts1cR79FxBul099lbcBwE54/edit?usp=sharing
The last several lines are (oldest last)
May 20 10:34:52 info: Could not establish a chain of trust to keys for
coder.show. DNSKEY IN
May 20 10:34:52 info: query response was nodata ANSWER
May 20 10:34:52 info: reply from <.> 1.1.1.1#853
Other information: Even though none of the other hosts on my LAN can
resolve this name, it is resolved by the diagnostic page on pfsense.
If I check the name at https://dnslookup.org/coder.show/A/#dnssec it
reports that the "Result is Insecure." However I get the same result for
google.com and it resolves w/out difficulty on my LAN. I'm not familiar
with all of the information on this page but one thing that caught my
attention was the query to ns2.hover.com. The AUTHORITY section seems to
show a bunch of queries that return no data. Does this indicate a missing
certificate?
Any suggestions for fixing this are most welcome!
thanks,
hank
--
'03 BMW F650CS - hers
'98 Dakar K12RS - "BABY K" grew up.
'93 R100R w/ Velorex 700 (MBD starts...)
'95 Miata - "OUR LC"
polish visor: apply squashed bugs, rinse, repeat
Beautiful Sunny Winfield, Illinois
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180523/30bce246/attachment.htm>
More information about the Unbound-users
mailing list