unbound fails to resolve .org domain with DNSSEC

Paulo_Roberto_Tomasi · September 10, 2018, 7:45pm

Hi,

I’m trying to deploy an unbound installation in Ubuntu 16.04, but with no success enabling DNSSEC.

Configuration (unbound.conf):

anandb · September 10, 2018, 8:26pm

Hi Paulo,

do-tcp: no

Don't disable TCP. TCP is *required* for proper operation of DNS,
especially if you want to do DNSSEC validation. Many of the signed
responses can be large. For example, the DNSKEY response for .ORG is
1625 bytes, and sometimes TCP is required in order to retrieve such
large responses. Disabling TCP can cause DNSSEC validation to fail.

Regards,
Anand

PaulWouters · September 10, 2018, 8:36pm

Is your unbound instance behind an old bind forwarder? There were some
bind versions that did not properly return all records needed for DNSSEC
validation in certain cases. Can you try with unbound having direct
unfiltered port 53 to the internet?

Paul

Paulo_Roberto_Tomasi · September 10, 2018, 8:39pm

Thank you very much!

Now https://www.rootcanary.org/test.html shows me green padlocks.

Paulo_Roberto_Tomasi · September 10, 2018, 8:43pm

Can you try with unbound having direct
unfiltered port 53 to the internet?

Yes, that was my scenario: public IP with no filter (I’m going to enable iptables later) trying to discover the solution.

Like Anand said, I misconfigured “do-tcp: no” and that was the reason of .org resolution failing.

Thanks again