unbound fails to resolve .org domain with DNSSEC

[Paulo Roberto Tomasi]

Hi,

I'm trying to deploy an unbound installation in Ubuntu 16.04, but with no
success enabling DNSSEC.

# Configuration (unbound.conf):

=============================================

server:

# DNSSEC anchor key
trust-anchor-file: "/var/lib/unbound/root.key"

# Root Servers information
root-hints: "/var/lib/unbound/root.hints"

# interfaces serving DNS
interface: 0.0.0.0
interface: ::0

# access control
access-control: x.x.x.x/21 allow
access-control: 100.64.0.0/10 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow

# more options
hide-identity: yes
hide-version: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: no

# remote control
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"


=======================

# Root Key and Root Hints:

"/var/lib/unbound/root.key" has "
https://nlnetlabs.nl/downloads/unbound/root-11sep-11oct.key" content

"/var/lib/unbound/root.hints" has "ftp://ftp.internic.net/domain/named.cache"
content

======================

# Results:

when trust-anchor-file: "/var/lib/unbound/root.key" is inactive
(commented), all sites are resolved correctly, but with no DNSSEC support (
rootcanary.org/test.html show only yellow padlocks)


when trust-anchor-file: "/var/lib/unbound/root.key" is active
(uncommented), all .org domains aren't resolved (other domains are resolved
correctly):

# Sites that are not resolved:
fire.org
rootcanary.org
under-linux.org
telegram.org


What can I try to solve this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180910/0f19e30b/attachment.htm>