Some sites not resolving (DNSSEC?)

Petr Špaček petr.spacek at nic.cz
Wed May 23 13:58:44 UTC 2018


On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:
> Hi Hank,
> 
> On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
>> Hi all,
>> I use pfsense for my firewall and have selected the unbound resolver for
>> DNS on my home LAN. I have configured this to use Cloudflare DNS with
>> DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
>> checkbox on the DNS Resolver configuration page I have added the custom
>> options
> 
> The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
> And for an insecure referral it needs DS denial information for type DS,
> eg. the NSEC or NSEC3 from the .show TLD.
> 
> Without the forward to 1.1.1.1 it works fine for me.  So it doesn't seem
> to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
> for qtype DS.
> 
> A workaround is domain-insecure: "coder.show" in unbound.conf

This is most likely a bug in Knot Resolver and we are working on fix:
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359

-- 
Petr Špaček  @  CZ.NIC



More information about the Unbound-users mailing list