Some sites not resolving (DNSSEC?)
wouter at nlnetlabs.nl
Wed May 23 13:46:04 UTC 2018
On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
> Hi all,
> I use pfsense for my firewall and have selected the unbound resolver for
> DNS on my home LAN. I have configured this to use Cloudflare DNS with
> DNSSEC enabled. In addition to checking the "Enable DNSSEC Support"
> checkbox on the DNS Resolver configuration page I have added the custom
The 126.96.36.199 server responds without DNSSEC for coder.show DS queries.
And for an insecure referral it needs DS denial information for type DS,
eg. the NSEC or NSEC3 from the .show TLD.
Without the forward to 188.8.131.52 it works fine for me. So it doesn't seem
to be the .show TLD or coder.show site, but the 184.108.40.206 unsigned CNAME
for qtype DS.
A workaround is domain-insecure: "coder.show" in unbound.conf
Best regards, Wouter
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
coder.show. IN DS
;; ANSWER SECTION:
coder.show. 437 IN CNAME hosted.fireside.fm.
;; AUTHORITY SECTION:
fireside.fm. 3600 IN SOA cory.ns.cloudflare.com.
dns.cloudflare.com. 2027772252 10000 2400 604800 3600
;; ADDITIONAL SECTION:
;; MSG SIZE rcvd: 122
> name: "."
> forward-ssl-upstream: yes
> forward-addr: 220.127.116.11 at 853
> forward-addr: 18.104.22.168 at 853
> (full configuration at the link below.)
> This generally seems to work except for several hosts from which I try
> to fetch podcasts. One of these is coder.show. I have bumped logging for
> unbound one level and collected the log for this host and which can be
> viewed at
> The last several lines are (oldest last)
> May 20 10:34:52 info: Could not establish a chain of trust to keys for
> coder.show. DNSKEY IN
> May 20 10:34:52info: query response was nodata ANSWER
> May 20 10:34:52 info: reply from <.> 22.214.171.124#853
> Other information: Even though none of the other hosts on my LAN can
> resolve this name, it is resolved by the diagnostic page on pfsense.
> If I check the name at https://dnslookup.org/coder.show/A/#dnssec it
> reports that the "Result is Insecure." However I get the same result for
> google.com <http://google.com> and it resolves w/out difficulty on my
> LAN. I'm not familiar with all of the information on this page but one
> thing that caught my attention was the query to ns2.hover.com
> <http://ns2.hover.com>. The AUTHORITY section seems to show a bunch of
> queries that return no data. Does this indicate a missing certificate?
> Any suggestions for fixing this are most welcome!
> '03 BMW F650CS - hers
> '98 Dakar K12RS - "BABY K" grew up.
> '93 R100R w/ Velorex 700 (MBD starts...)
> '95 Miata - "OUR LC"
> polish visor: apply squashed bugs, rinse, repeat
> Beautiful Sunny Winfield, Illinois
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users