Some sites not resolving (DNSSEC?)

Hank Barta hbarta at gmail.com
Wed May 23 14:51:22 UTC 2018


Thanks for looking into this. I have added some other sites that also
present this problem to the issue.

best,
hank

On Wed, May 23, 2018 at 8:58 AM, Petr Špaček via Unbound-users <
unbound-users at unbound.net> wrote:

> On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:
>
>> Hi Hank,
>>
>> On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
>>
>>> Hi all,
>>> I use pfsense for my firewall and have selected the unbound resolver for
>>> DNS on my home LAN. I have configured this to use Cloudflare DNS with
>>> DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
>>> checkbox on the DNS Resolver configuration page I have added the custom
>>> options
>>>
>>
>> The 1.1.1.1 server responds without DNSSEC for coder.show DS queries.
>> And for an insecure referral it needs DS denial information for type DS,
>> eg. the NSEC or NSEC3 from the .show TLD.
>>
>> Without the forward to 1.1.1.1 it works fine for me.  So it doesn't seem
>> to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME
>> for qtype DS.
>>
>> A workaround is domain-insecure: "coder.show" in unbound.conf
>>
>
> This is most likely a bug in Knot Resolver and we are working on fix:
> https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359
>
> --
> Petr Špaček  @  CZ.NIC
>



-- 
'03 BMW F650CS - hers
'98 Dakar K12RS - "BABY K" grew up.
'93 R100R w/ Velorex 700 (MBD starts...)
'95 Miata - "OUR LC"
polish visor: apply squashed bugs, rinse, repeat
Beautiful Sunny Winfield, Illinois
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180523/959d8267/attachment.htm>


More information about the Unbound-users mailing list