unbound fails to resolve .org domain with DNSSEC

Paulo Roberto Tomasi pztomasi at gmail.com
Mon Sep 10 20:43:26 UTC 2018

> Can you try with unbound having direct
> unfiltered port 53 to the internet?

Yes, that was my scenario: public IP with no filter (I'm going to enable
iptables later) trying to discover the solution.

Like Anand said, I misconfigured "do-tcp: no" and that was the reason of
.org resolution failing.

Thanks again :-D

Em seg, 10 de set de 2018 às 16:39, Paulo Roberto Tomasi <pztomasi at gmail.com>

> Thank you very much!
> Now https://www.rootcanary.org/test.html shows me green padlocks.
> :-D
> Em seg, 10 de set de 2018 às 16:26, Anand Buddhdev <anandb at ripe.net>
> escreveu:
>> On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote:
>> Hi Paulo,
>> > do-tcp: no
>> Don't disable TCP. TCP is *required* for proper operation of DNS,
>> especially if you want to do DNSSEC validation. Many of the signed
>> responses can be large. For example, the DNSKEY response for .ORG is
>> 1625 bytes, and sometimes TCP is required in order to retrieve such
>> large responses. Disabling TCP can cause DNSSEC validation to fail.
>> Regards,
>> Anand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180910/cbc6f833/attachment.htm>

More information about the Unbound-users mailing list