Trying to find out why my unbound will not resolve (1.13.1)

Gerben Wierda gerben.wierda at
Thu May 6 09:25:30 UTC 2021

> On 6 May 2021, at 10:43, Renaud Allard via Unbound-users <unbound-users at> wrote:
> On 5/5/21 8:50 PM, Gerben Wierda via Unbound-users wrote:
>> I have tested additionally on a separate test machine with unbound 1.13.1 with logging set to 4
>> Same problem. I also noticed there are TCP errors, but I have do-tcp set to no.
> The domain you are testing uses DNSSEC with RSASHA256, you should probably enable do-tcp.

And that solved it. NAT, FW etc was not the issue. Turning do-tcp on makes resolving this domain work.

Ah. I was under the impression that I could have a setup that doesn’t do TCP at all, but it seems that these days, TCP is a requirement.

Basically, do-tcp must be a yes to be able to resolve the entire internet. do-tcp: no means some names will not resolve. And this will become worse over time. Setting do-tcp to no might come with a decent warning, then.

Thanks, all.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list