Some sites not resolving (DNSSEC?)

Petr Špaček petr.spacek at
Wed May 23 13:58:44 UTC 2018

On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:
> Hi Hank,
> On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
>> Hi all,
>> I use pfsense for my firewall and have selected the unbound resolver for
>> DNS on my home LAN. I have configured this to use Cloudflare DNS with
>> DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
>> checkbox on the DNS Resolver configuration page I have added the custom
>> options
> The server responds without DNSSEC for DS queries.
> And for an insecure referral it needs DS denial information for type DS,
> eg. the NSEC or NSEC3 from the .show TLD.
> Without the forward to it works fine for me.  So it doesn't seem
> to be the .show TLD or site, but the unsigned CNAME
> for qtype DS.
> A workaround is domain-insecure: "" in unbound.conf

This is most likely a bug in Knot Resolver and we are working on fix:

Petr Špaček  @  CZ.NIC

More information about the Unbound-users mailing list