Some sites not resolving (DNSSEC?)
Petr Špaček
petr.spacek at nic.cz
Wed May 23 13:58:44 UTC 2018
On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:
> Hi Hank,
>
> On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
>> Hi all,
>> I use pfsense for my firewall and have selected the unbound resolver for
>> DNS on my home LAN. I have configured this to use Cloudflare DNS with
>> DNSSEC enabled. In addition to checking the "Enable DNSSEC Support"
>> checkbox on the DNS Resolver configuration page I have added the custom
>> options
>
> The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
> And for an insecure referral it needs DS denial information for type DS,
> eg. the NSEC or NSEC3 from the .show TLD.
>
> Without the forward to 1.1.1.1 it works fine for me. So it doesn't seem
> to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
> for qtype DS.
>
> A workaround is domain-insecure: "coder.show" in unbound.conf
This is most likely a bug in Knot Resolver and we are working on fix:
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359
--
Petr Špaček @ CZ.NIC
More information about the Unbound-users
mailing list