unbound fails to resolve .org domain with DNSSEC

Paulo Roberto Tomasi pztomasi at gmail.com
Mon Sep 10 20:39:23 UTC 2018

Thank you very much!

Now https://www.rootcanary.org/test.html shows me green padlocks.


Em seg, 10 de set de 2018 às 16:26, Anand Buddhdev <anandb at ripe.net>

> On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote:
> Hi Paulo,
> > do-tcp: no
> Don't disable TCP. TCP is *required* for proper operation of DNS,
> especially if you want to do DNSSEC validation. Many of the signed
> responses can be large. For example, the DNSKEY response for .ORG is
> 1625 bytes, and sometimes TCP is required in order to retrieve such
> large responses. Disabling TCP can cause DNSSEC validation to fail.
> Regards,
> Anand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180910/cb71ec31/attachment.htm>

More information about the Unbound-users mailing list