unbound fails to resolve .org domain with DNSSEC
Paulo Roberto Tomasi
pztomasi at gmail.com
Mon Sep 10 20:43:26 UTC 2018
> Can you try with unbound having direct
> unfiltered port 53 to the internet?
Yes, that was my scenario: public IP with no filter (I'm going to enable
iptables later) trying to discover the solution.
Like Anand said, I misconfigured "do-tcp: no" and that was the reason of
.org resolution failing.
Thanks again :-D
Em seg, 10 de set de 2018 às 16:39, Paulo Roberto Tomasi <pztomasi at gmail.com>
> Thank you very much!
> Now https://www.rootcanary.org/test.html shows me green padlocks.
> Em seg, 10 de set de 2018 às 16:26, Anand Buddhdev <anandb at ripe.net>
>> On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote:
>> Hi Paulo,
>> > do-tcp: no
>> Don't disable TCP. TCP is *required* for proper operation of DNS,
>> especially if you want to do DNSSEC validation. Many of the signed
>> responses can be large. For example, the DNSKEY response for .ORG is
>> 1625 bytes, and sometimes TCP is required in order to retrieve such
>> large responses. Disabling TCP can cause DNSSEC validation to fail.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unbound-users