unbound 1.9.1 - No DNSKEY record for key wolfssl.com. while building chain of trust - why?

Dear List.

I am failing to understand why wolfssl.com does NOT resolve. Any hints?

Jan 02 19:17:27 rdns0.edu-zg.io unbound[4948]: [4948:0] info: start of service (unbound 1.9.1).
Jan 02 19:17:29 rdns0.edu-zg.io unbound[4948]: [4948:7] info: validation failure <wolfssl.com. A IN>: No DNSKEY record for key wolfssl.com. while building chain of trust

"https://dnssec-analyzer.verisignlabs.com/www.wolfssl.com&quot; does not show an error.

Version 1.9.1
linked libs: libevent 2.0.21-stable (it uses epoll), OpenSSL 1.0.2k-fips 26 Jan 2017
linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl

tcpdump shows that DNSKEYs are actually returned.

[wiwi@rdns0 ~]$ whois wolfssl.com
    Domain Name: WOLFSSL.COM
    Registry Domain ID: 1725393507_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.godaddy.com
    Registrar URL: http://www.godaddy.com
    Updated Date: 2019-06-06T16:30:17Z
    Creation Date: 2012-06-06T01:15:53Z
    Registry Expiry Date: 2020-06-06T01:15:53Z
    Registrar: GoDaddy.com, LLC
    Registrar IANA ID: 146
    Registrar Abuse Contact Email: abuse@godaddy.com
    Registrar Abuse Contact Phone: 480-624-2505
    Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
    Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
    Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
    Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
    Name Server: PDNS11.DOMAINCONTROL.COM
    Name Server: PDNS12.DOMAINCONTROL.COM
    DNSSEC: signedDelegation
    DNSSEC DS Data: 54187 8 1 586DF2D210370733A696650F1F7E2614257F12C5
    DNSSEC DS Data: 29029 8 1 5C58C9FB0CF71C81F839D6E36BBCBF030A3CB75A
    URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-01-02T18:19:55Z <<<

[wiwi@rdns0 ~]$ dig wolfssl.com ds @[a-m].gtld-servers.net

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com ds @m.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34040
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wolfssl.com. IN DS

;; ANSWER SECTION:
wolfssl.com. 86400 IN DS 54187 8 1 586DF2D210370733A696650F1F7E2614257F12C5
wolfssl.com. 86400 IN DS 29029 8 1 5C58C9FB0CF71C81F839D6E36BBCBF030A3CB75A

;; AUTHORITY SECTION:
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.

[wiwi@rdns0 ~]$ dig wolfssl.com ns @[a-m].gtld-servers.net

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com ns @m.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9586
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wolfssl.com. IN NS

;; AUTHORITY SECTION:
wolfssl.com. 172800 IN NS pdns11.domaincontrol.com.
wolfssl.com. 172800 IN NS pdns12.domaincontrol.com.

;; ADDITIONAL SECTION:
pdns11.domaincontrol.com. 172800 IN AAAA 2603:5:21f2::37
pdns11.domaincontrol.com. 172800 IN A 97.74.111.55
pdns12.domaincontrol.com. 172800 IN A 173.201.79.55
pdns12.domaincontrol.com. 172800 IN AAAA 2603:5:22f2::37

[wiwi@rdns0 ~]$ dig wolfssl.com dnskey +dnssec @pdns12.domaincontrol.com.
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> wolfssl.com dnskey +dnssec @pdns12.domaincontrol.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12098
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;wolfssl.com. IN DNSKEY

;; ANSWER SECTION:
wolfssl.com. 3600 IN DNSKEY 257 3 8 AwEAAeuDjCM2yxIKeSzzEcWJIqHXCiZPZlAWxLbqP6EzB/tV4YEBpVNx gFg9zQPGGgMi1DzskNYMvxyFkTYIFMX1iNULKOSswyPBxPaeR6TJ6PB2 fL4UGjnLGohlUPraFINVu8KNQOn/nVnTY3cdyZG7CM2pZDInilgT3S3b RsPzZKhxbEDUTciH3nNtZ+adOVrAHMUFCqCtdUhBc4UzX3YG0QlvYrpP tF7QbUKoX1FCl5xfnkJUUDMdytmSI+GiFZqpFj5SyRaEDORWuCUIRErp Jd0rB9ebz61yfV5OYTELSS8NBeIoIqSnJzUNljkSqxrXvYb3LM9+9Loq nHfiIl/OOvM=
wolfssl.com. 3600 IN DNSKEY 257 3 8 AwEAAbibT2uFcRnWZbypTRQari8EA8UtZFCi/itqREiRPra/7A6VjTL6 vIbrQlAO0bpCKa+2vCKpYzGOt4Bjs5qVf9BiSU1IaAe+JvigAEWkORNQ w+1DFZ0ZJCc7TnMoqPp9etOZHtEx/UoTS8dCHDsHa4UMghsDwklZ8tj9 gFYRdIVULyIpNNO7woj6J1tQqy0/DRd3DCqtaF9HcaD/7VqIvDoDrCs9 r8tkaFWikxzcEg5G2gyUxmdoq9wzzkgr6FO7jqR+BnSQ+CqaTI4cjUmD TaS/AQpHcNSqBQCEep8liD+qo1kwAZ7xhbASeeXqW1LLyp98aKhSlPzd JPE2tm3QL70=
wolfssl.com. 3600 IN DNSKEY 256 3 8 AwEAAcoqW8bT4ywr3Ce+J2629UiJk4X9uIqY1m4kGrSdIPOnn4JnQHj1 vQ1U/mu5bTEsRK00+vmHs33pPNVxvxh8yMmVjo7cPNaP1IYiOBdMnKJX L4fw9muhr4pziyJd7rhvTd74fDNu/cnGjSGEINXHMTmyAa6ZbZUtuY74 Df+uioDKC93wXbJUfauCvN/6g6s9OKRoA24p4b/I20/ClK85KkTu6k7t PnN3cU0IKJxuU1AXihABuF3o2tYcMOJVEbiQLIK7SlfJnk0E5vfBbOkn 2EfEWpWZ0RGkkMulK0LMq39yNbX3tQPFrEJABNChxhkgxIGaajaUMOLk 3LgVdsPJ8lU=
wolfssl.com. 3600 IN DNSKEY 256 3 8 AwEAAcLSvxos9ERtEj94msxFNTRASIcBWYLWF5EIhCASDP+qjGptlBNl K+o1kmqQ0sSDncbZfAPqupXOjl0NR64fbDG6jVdpLTR3Dcr57eaq9kE0 1d6iLj7zoQEINZ9zIk8EmCFLQJmaatsXwYcwter0MkL4CBa33/BsS0F5 foOHScFW3q8IMIFckLkaGv5deE+oI29gcsBnU2cTkvRPWFBl3AWM8mkr HZcYPSQcC/Zpo1cAzHk/xShAtaGRnYlzC3KIZbAhNfp7bW7SuOJ1O7L0 M0G8Tl1sEkl3M0QbM4EKHQol8vjkXf8gvI/jCVg5nB9MPO88RqjYA7bL IumTJNxH+lE=
wolfssl.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200114231625 20191230231625 54187 wolfssl.com. XtctZDTBA83dmP1bLWYqhY4DvX7C7K/FiUnEiNQ2ZiY1s5PR/HosHBAR 8rvI/V9HZnE4uEK8BqM0FTn/EljA5pkLmlt/QZkSUPzjnsUkebmTge48 HQDlcUPRRa38aYQlxU9tWDfLA5pquvOzeRNOAX6pNEX0DcJ+j6ChBepe 2Zqi1dV/XZDIlsSLNxnQ5fgwXyQTYnWrcFa19s0PQfG38N8VQFkT2wj8 asrpY5cq39IloHa6/kQ9L8GU8x7ZaIv/tNeaUeoOR24hTuj5/tK4XUuk 0TcyBNJTED+Dpr1yKqyfbev/qbyyfLwYlPoilXizaee3L8405HyzKUVP mgqh8Q==

;; AUTHORITY SECTION:
wolfssl.com. 3600 IN NS pdns11.domaincontrol.com.
wolfssl.com. 3600 IN NS pdns12.domaincontrol.com.
wolfssl.com. 3600 IN RRSIG NS 8 2 3600 20200114231625 20191230231625 58008 wolfssl.com. CNK3+5fCh0yDowU9y26j0xAgxVuTvyYzsbqZBoaeGeLCxE4a5jahLukl sHQsnKyoLxaXIZgiK+MYEuFP+HdebEZQE4THmp0okCiqWJr1SPW9sllw wP+S2qn4TjJUbyyZ0FjZ8aR8QjF6Wep0Pjd48EI3lPOMZOz+ISwDeJVD zkK2/yaYnPhl8giEX20VPCA5oXA4wiJ5MFzFJlyTRficeyDq6ZYee+78 uQdUA9y3BGliws5GD5q+q4MIjHaNev6225NjYV2hkUCrHpV4UQjxHfQV 3hsaRs0d9A65svpGhQ4zQ+2nS8MA6hxtVtbkXWRXxUx3pTKQmANkg4qB rkSbtw==

;; Query time: 7 msec
;; SERVER: 173.201.79.55#53(173.201.79.55)
;; WHEN: Thu Jan 02 19:27:50 CET 2020
;; MSG SIZE rcvd: 1798

19:37:53.794666 IP (tos 0x0, ttl 60, id 60188, offset 0, flags [none], proto UDP (17), length 479)
     192.54.112.30.domain > 85.158.27.148.35318: 49620- 0/5/5 (451)
19:37:53.795101 IP (tos 0x0, ttl 64, id 8933, offset 0, flags [none], proto UDP (17), length 68)
     85.158.27.148.22524 > 192.31.80.30.domain: 21352% [1au] DNSKEY? wolfssl.com. (40)
19:37:53.808691 IP (tos 0x0, ttl 54, id 10257, offset 0, flags [none], proto UDP (17), length 479)
     192.31.80.30.domain > 85.158.27.148.22524: 21352- 0/5/5 (451)
19:37:53.809198 IP (tos 0x0, ttl 64, id 22140, offset 0, flags [none], proto UDP (17), length 68)
     85.158.27.148.28753 > 173.201.79.55.domain: 25715% [1au] DNSKEY? WOLfSsl.com. (40)
19:37:53.815973 IP (tos 0x0, ttl 55, id 63035, offset 0, flags [DF], proto UDP (17), length 1471)
     173.201.79.55.domain > 85.158.27.148.28753: 25715*-| 5/0/1 WOLfSsl.com. DNSKEY, WOLfSsl.com. DNSKEY, WOLfSsl.com. DNSKEY, WOLfSsl.com. DNSKEY, WOLfSsl.com. RRSIG (1443)
19:37:53.816413 IP (tos 0x0, ttl 64, id 49466, offset 0, flags [none], proto UDP (17), length 68)
     85.158.27.148.6099 > 97.74.111.55.domain: 11838% [1au] DNSKEY? WolfsSL.coM. (40)
19:37:53.823225 IP (tos 0x0, ttl 55, id 61130, offset 0, flags [DF], proto UDP (17), length 1471)
     97.74.111.55.domain > 85.158.27.148.6099: 11838*-| 5/0/1 WolfsSL.coM. DNSKEY, WolfsSL.coM. DNSKEY, WolfsSL.coM. DNSKEY, WolfsSL.coM. DNSKEY, WolfsSL.coM. RRSIG (1443)
19:37:53.823740 IP (tos 0x0, ttl 64, id 48, offset 0, flags [none], proto UDP (17), length 68)
     127.0.0.1.domain > 127.0.0.1.39245: 54478 ServFail 0/0/1 (40)
19:37:53.823790 IP (tos 0x0, ttl 64, id 49, offset 0, flags [none], proto UDP (17), length 68)
     127.0.0.1.domain > 127.0.0.1.39245: 54478 ServFail 0/0/1 (40)
19:37:54.012318 IP (tos 0x0, ttl 126, id 8073, offset 0, flags [none], proto UDP (17), length 72)
     81.94.121.16.55673 > 85.158.27.148.domain: 59040+ PTR? 136.26.31.172.in-addr.arpa. (44)
19:37:54.012609 IP (tos 0x0, ttl 64, id 26455, offset 0, flags [none], proto UDP (17), length 131)
     85.158.27.148.domain > 81.94.121.16.55673: 59040 NXDomain* 0/1/0 (103)
19:37:54.070734 IP (tos 0x0, ttl 64, id 6121, offset 0, flags [none], proto UDP (17), length 68)
     85.158.27.148.57732 > 192.33.14.30.domain: 58187% [1au] A? AS34288.NEt. (40)
19:37:54.085119 IP (tos 0x0, ttl 54, id 32042, offset 0, flags [none], proto UDP (17), length 435)
     192.33.14.30.domain > 85.158.27.148.57732: 58187- 0/4/5 (407)

Best regards

  Christian

Hi Cristian,

I am not able to reproduce that behavior. Resolves and validates here.

Try to increase the logging verbosity in Unbound to find out if Unbound
is able to retrieve the DNSKEY record during validation. And if so why
it is discarded.

-- Ralph

Dear Ralph.
Dear List.

(Platform is CentOS 7, most current)

I see: "Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)"

So it looks, as if unbound is unable to do tcp connections. But why?

Firewall is deactivated.

[root@rdns0 unbound]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

dig from the same machine can use tcp to these hosts:

[root@rdns0 unbound]# dig wolfssl.com dnskey +dnssec @97.74.111.55
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> wolfssl.com dnskey +dnssec @97.74.111.55
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63791
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;wolfssl.com. IN DNSKEY

;; ANSWER SECTION:
wolfssl.com. 3600 IN DNSKEY 257 3 8 AwEAAeuDjCM2yxIKeSzzEcWJIqHXCiZPZlAWxLbqP6EzB/tV4YEBpVNx gFg9zQPGGgMi1DzskNYMvxyFkTYIFMX1iNULKOSswyPBxPaeR6TJ6PB2 fL4UGjnLGohlUPraFINVu8KNQOn/nVnTY3cdyZG7CM2pZDInilgT3S3b RsPzZKhxbEDUTciH3nNtZ+adOVrAHMUFCqCtdUhBc4UzX3YG0QlvYrpP tF7QbUKoX1FCl5xfnkJUUDMdytmSI+GiFZqpFj5SyRaEDORWuCUIRErp Jd0rB9ebz61yfV5OYTELSS8NBeIoIqSnJzUNljkSqxrXvYb3LM9+9Loq nHfiIl/OOvM=
wolfssl.com. 3600 IN DNSKEY 257 3 8 AwEAAbibT2uFcRnWZbypTRQari8EA8UtZFCi/itqREiRPra/7A6VjTL6 vIbrQlAO0bpCKa+2vCKpYzGOt4Bjs5qVf9BiSU1IaAe+JvigAEWkORNQ w+1DFZ0ZJCc7TnMoqPp9etOZHtEx/UoTS8dCHDsHa4UMghsDwklZ8tj9 gFYRdIVULyIpNNO7woj6J1tQqy0/DRd3DCqtaF9HcaD/7VqIvDoDrCs9 r8tkaFWikxzcEg5G2gyUxmdoq9wzzkgr6FO7jqR+BnSQ+CqaTI4cjUmD TaS/AQpHcNSqBQCEep8liD+qo1kwAZ7xhbASeeXqW1LLyp98aKhSlPzd JPE2tm3QL70=
wolfssl.com. 3600 IN DNSKEY 256 3 8 AwEAAcoqW8bT4ywr3Ce+J2629UiJk4X9uIqY1m4kGrSdIPOnn4JnQHj1 vQ1U/mu5bTEsRK00+vmHs33pPNVxvxh8yMmVjo7cPNaP1IYiOBdMnKJX L4fw9muhr4pziyJd7rhvTd74fDNu/cnGjSGEINXHMTmyAa6ZbZUtuY74 Df+uioDKC93wXbJUfauCvN/6g6s9OKRoA24p4b/I20/ClK85KkTu6k7t PnN3cU0IKJxuU1AXihABuF3o2tYcMOJVEbiQLIK7SlfJnk0E5vfBbOkn 2EfEWpWZ0RGkkMulK0LMq39yNbX3tQPFrEJABNChxhkgxIGaajaUMOLk 3LgVdsPJ8lU=
wolfssl.com. 3600 IN DNSKEY 256 3 8 AwEAAcLSvxos9ERtEj94msxFNTRASIcBWYLWF5EIhCASDP+qjGptlBNl K+o1kmqQ0sSDncbZfAPqupXOjl0NR64fbDG6jVdpLTR3Dcr57eaq9kE0 1d6iLj7zoQEINZ9zIk8EmCFLQJmaatsXwYcwter0MkL4CBa33/BsS0F5 foOHScFW3q8IMIFckLkaGv5deE+oI29gcsBnU2cTkvRPWFBl3AWM8mkr HZcYPSQcC/Zpo1cAzHk/xShAtaGRnYlzC3KIZbAhNfp7bW7SuOJ1O7L0 M0G8Tl1sEkl3M0QbM4EKHQol8vjkXf8gvI/jCVg5nB9MPO88RqjYA7bL IumTJNxH+lE=
wolfssl.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200114231625 20191230231625 54187 wolfssl.com. XtctZDTBA83dmP1bLWYqhY4DvX7C7K/FiUnEiNQ2ZiY1s5PR/HosHBAR 8rvI/V9HZnE4uEK8BqM0FTn/EljA5pkLmlt/QZkSUPzjnsUkebmTge48 HQDlcUPRRa38aYQlxU9tWDfLA5pquvOzeRNOAX6pNEX0DcJ+j6ChBepe 2Zqi1dV/XZDIlsSLNxnQ5fgwXyQTYnWrcFa19s0PQfG38N8VQFkT2wj8 asrpY5cq39IloHa6/kQ9L8GU8x7ZaIv/tNeaUeoOR24hTuj5/tK4XUuk 0TcyBNJTED+Dpr1yKqyfbev/qbyyfLwYlPoilXizaee3L8405HyzKUVP mgqh8Q==

;; AUTHORITY SECTION:
wolfssl.com. 3600 IN NS pdns11.domaincontrol.com.
wolfssl.com. 3600 IN NS pdns12.domaincontrol.com.
wolfssl.com. 3600 IN RRSIG NS 8 2 3600 20200114231625 20191230231625 58008 wolfssl.com. CNK3+5fCh0yDowU9y26j0xAgxVuTvyYzsbqZBoaeGeLCxE4a5jahLukl sHQsnKyoLxaXIZgiK+MYEuFP+HdebEZQE4THmp0okCiqWJr1SPW9sllw wP+S2qn4TjJUbyyZ0FjZ8aR8QjF6Wep0Pjd48EI3lPOMZOz+ISwDeJVD zkK2/yaYnPhl8giEX20VPCA5oXA4wiJ5MFzFJlyTRficeyDq6ZYee+78 uQdUA9y3BGliws5GD5q+q4MIjHaNev6225NjYV2hkUCrHpV4UQjxHfQV 3hsaRs0d9A65svpGhQ4zQ+2nS8MA6hxtVtbkXWRXxUx3pTKQmANkg4qB rkSbtw==

;; Query time: 6 msec
;; SERVER: 97.74.111.55#53(97.74.111.55)
;; WHEN: Fri Jan 03 23:05:28 CET 2020
;; MSG SIZE rcvd: 1798

unbound.conf is:

server:
         verbosity: 5

         num-threads: 8

         so-reuseport: yes # no change

         username: "unbound"

         pidfile: "/var/run/unbound.pid"

         outgoing-interface: 85.158.27.148 # no change
         do-ip6: no

         interface: 127.0.0.1
         #interface: 127.0.0.1@853

         interface: 0.0.0.0
         interface: ::0

         #interface: 0.0.0.0@853
         #interface: ::0@853

         access-control: 127.0.0.1 allow
         access-control: ::1 allow

         access-control: 46.234.32.0/19 allow
         access-control: 81.94.112.0/20 allow
         access-control: 85.158.24.0/21 allow
         access-control: 109.233.176.0/21 allow
         access-control: 82.136.38.0/27 allow
         access-control: 64.71.160.96/27 allow
         access-control: 91.232.37.0/24 allow
         access-control: 87.245.215.224/29 allow
         access-control: 217.11.218.80/28 allow
         access-control: 172.18.0.0/21 allow
         access-control: 2001:4b20:2000::/29 allow

         access-control: 0.0.0.0/0 deny
         access-control: ::0 deny

         root-hints: "/etc/opt/as34288/unbound/root.hints"
         auto-trust-anchor-file: "/etc/opt/as34288/unbound/trust-anchor/root.key"

         # cache timeouts
         cache-min-ttl: 60
         cache-max-ttl: 900
         cache-max-negative-ttl: 60

         # rotate rrsets
         rrset-roundrobin: yes

         val-log-level: 2

Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD mod1 wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0 rep wolfssl.com. A IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator operate: query wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: processQueryTargets: wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0 avail) cacheNS
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: pdns12.domaincontrol.com. * A AAAA
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: pdns11.domaincontrol.com. * A AAAA
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: sending query: wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: mesh_run: end 2 recursion states (1 with reply, 0 detached), 2 waiting replies, 0 recursion replies sent, 0 replies
dropped, 0 states jostled out
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD mod1 wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0 rep wolfssl.com. A IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator operate: query wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: processQueryTargets: wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0 avail) cacheNS
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: pdns12.domaincontrol.com. * A AAAA
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: pdns11.domaincontrol.com. * A AAAA
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: sending query: wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: mesh_run: end 2 recursion states (1 with reply, 0 detached), 2 waiting replies, 0 recursion replies sent, 0 replies
dropped, 0 states jostled out
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 0vRDCD mod1 wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: 1RDdc mod0 rep wolfssl.com. A IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: iterator operate: query wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: processQueryTargets: wolfssl.com. DNSKEY IN
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: DelegationPoint<wolfssl.com.>: 2 names (0 missing), 4 addrs (4 result, 0 avail) cacheNS
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] info: pdns12.domaincontrol.com. * A AAAA
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 97.74.111.55 port 53 (len 16)
Jan 03 22:53:36 rdns0.edu-zg.io unbound[7681]: [7681:0] error: tcp sendmsg: Operation not supported for 173.201.79.55 port 53 (len 16)
Jan 03 22:53:45 rdns0.edu-zg.io systemd[1]: Stopping AS34288 unbound rDNS Server...
Jan 03 22:53:45 rdns0.edu-zg.io systemd[1]: as34288.unbound.service: control process exited, code=exited status=1

Best regards

  Christian

Hi Christian,

Looks like your Unbound is compiled with support for TCP fast open. Your
kernel supports fast open, but it is not enabled in your kernel. Try to
enable it using something like "sysctl -w net.ipv4.tcp_fastopen=3", or
compile Unbound without fast open support (default, ie not using
--enable-tfo-client as ./configure option).

-- Ralph