Some sites not resolving (DNSSEC?)

Hank Barta hbarta at
Wed May 23 14:51:22 UTC 2018

Thanks for looking into this. I have added some other sites that also
present this problem to the issue.


On Wed, May 23, 2018 at 8:58 AM, Petr Špaček via Unbound-users <
unbound-users at> wrote:

> On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote:
>> Hi Hank,
>> On 23/05/18 15:23, Hank Barta via Unbound-users wrote:
>>> Hi all,
>>> I use pfsense for my firewall and have selected the unbound resolver for
>>> DNS on my home LAN. I have configured this to use Cloudflare DNS with
>>> DNSSEC enabled.  In addition to checking the "Enable DNSSEC Support"
>>> checkbox on the DNS Resolver configuration page I have added the custom
>>> options
>> The server responds without DNSSEC for DS queries.
>> And for an insecure referral it needs DS denial information for type DS,
>> eg. the NSEC or NSEC3 from the .show TLD.
>> Without the forward to it works fine for me.  So it doesn't seem
>> to be the .show TLD or site, but the unsigned CNAME
>> for qtype DS.
>> A workaround is domain-insecure: "" in unbound.conf
> This is most likely a bug in Knot Resolver and we are working on fix:
> --
> Petr Špaček  @  CZ.NIC

'03 BMW F650CS - hers
'98 Dakar K12RS - "BABY K" grew up.
'93 R100R w/ Velorex 700 (MBD starts...)
'95 Miata - "OUR LC"
polish visor: apply squashed bugs, rinse, repeat
Beautiful Sunny Winfield, Illinois
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list