unbound fails to resolve .org domain with DNSSEC
Paulo Roberto Tomasi
pztomasi at gmail.com
Mon Sep 10 20:39:23 UTC 2018
Thank you very much!
Now https://www.rootcanary.org/test.html shows me green padlocks.
Em seg, 10 de set de 2018 às 16:26, Anand Buddhdev <anandb at ripe.net>
> On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote:
> Hi Paulo,
> > do-tcp: no
> Don't disable TCP. TCP is *required* for proper operation of DNS,
> especially if you want to do DNSSEC validation. Many of the signed
> responses can be large. For example, the DNSKEY response for .ORG is
> 1625 bytes, and sometimes TCP is required in order to retrieve such
> large responses. Disabling TCP can cause DNSSEC validation to fail.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unbound-users