local unbound resolver fails @ DANE TLSA lookups; ok with external NS ?

Antonio Prado antonio at prado.it
Thu Oct 6 17:02:07 UTC 2022 

On 10/6/22 6:33 PM, PGNet Dev via Unbound-users wrote:
> seems it's my unbound config.

it is, because on my unbound I can get the non-existent domain reply 
just as quad8 and quad1.

> any hints as to cause/cure for this failing dane/tlsa query? or 
> where/how to dig further?

here is my 'working' unbound.conf
hope it helps
--
antonio

include: "/usr/local/etc/unbound/rpz/*.conf"
include: "/usr/local/etc/unbound/blacklists.d/*.conf"
include: "/usr/local/etc/unbound/shared.conf.d/*.conf"
server:
	 verbosity: 1
	extended-statistics: yes
	num-threads: 1
         interface: 0.0.0.0
         interface: ::0
         interface: 0.0.0.0 at 443
         interface: ::0 at 443
         interface: 0.0.0.0 at 853
         interface: ::0 at 853
	port: 53
	outgoing-range: 4096
	outgoing-num-tcp: 128
	incoming-num-tcp: 128
	so-reuseport: no
	msg-cache-size: 128m
	msg-cache-slabs: 8
	num-queries-per-thread: 1024
	rrset-cache-size: 16m
	rrset-cache-slabs: 16m
	cache-min-ttl: 15
	cache-max-ttl: 86400
	cache-max-negative-ttl: 300
	infra-cache-numhosts: 100000
	do-ip4: yes
	do-ip6: yes
	do-udp: yes
	do-tcp: yes
         access-control: 127.0.0.0/8 allow
         access-control: ::1 allow
	access-control: 0.0.0.0/0 deny
	access-control: ::/0 deny
	chroot: "/usr/local/etc/unbound"
	username: "unbound"
	directory: "/usr/local/etc/unbound"
         logfile: "/usr/local/etc/unbound/log/unbound.log"
	use-syslog: no
	log-time-ascii: yes
	log-queries: no
	log-replies: no
	pidfile: "/usr/local/etc/unbound/run/unbound.pid"
	root-hints: "/usr/local/etc/unbound/named.cache"
	hide-identity: yes
	hide-version: yes
	hide-trustanchor: no
	harden-short-bufsize: yes
	harden-large-queries: yes
	harden-glue: yes
	harden-dnssec-stripped: yes
	harden-below-nxdomain: yes
	harden-algo-downgrade: yes
	qname-minimisation: yes
	qname-minimisation-strict: yes
	aggressive-nsec: yes
	use-caps-for-id: yes
	private-address: 10.0.0.0/8
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: fd00::/8
	private-address: fe80::/10
	private-address: ::ffff:0:0/96
	do-not-query-address: 127.0.0.1/8
	do-not-query-address: ::1
	do-not-query-localhost: yes
	prefetch: yes
	prefetch-key: yes
	rrset-roundrobin: yes
	minimal-responses: yes
	module-config: "respip validator iterator"
	auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
	trust-anchor-signaling: yes
	root-key-sentinel: yes
	val-clean-additional: yes
	serve-expired: no
	tls-service-key: "ns12-rec.as59715.net.key.pem"
	tls-service-pem: "ns12-rec.as59715.net.cert.pem"
	tls-port: 853
         https-port: 443
	ratelimit: 100
	ip-ratelimit: 100
python:
remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
	control-interface: ::1
	control-port: 8953
	server-key-file: "/usr/local/etc/unbound/unbound_server.key"
	server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
	control-key-file: "/usr/local/etc/unbound/unbound_control.key"
	control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20221006/fbc281b9/attachment.bin>

More information about the Unbound-users mailing list