using unbound causing SERVFAIL with DNSSEC on some queries #279
Labels
🐞 bug
Something isn't working
Comments
|
This is expected, blocked queries can’t be DNSSEC authenticated by the client as it is a modified response. You should disable DNSSEC on the client, our resolver does the DNSSEC validation already. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When resolving hostnames (e.g. weatherlive.info) the unbound server does not return an IP address.
Disabling DNSSEC in unbound configuration fixes the issue.
unbound log:
Jul 11 15:43:59 raspberrypiwatch unbound: [3599:2] info: resolving info. DS IN
Jul 11 15:43:59 raspberrypiwatch unbound: [3599:2] info: validated DS info. DS IN
Jul 11 15:43:59 raspberrypiwatch unbound: [3599:2] info: resolving info. DNSKEY IN
Jul 11 15:43:59 raspberrypiwatch unbound: [3599:2] info: response for info. DNSKEY IN
Jul 11 15:43:59 raspberrypiwatch unbound: [3599:2] info: reply from <.> 45.90.30.0#853
Jul 11 15:43:59 raspberrypiwatch unbound: [3599:2] info: query response was nodata ANSWER
Jul 11 15:43:59 raspberrypiwatch unbound: [3599:2] info: Missing DNSKEY RRset in response to DNSKEY query.
Dig result:
pi@raspberrypiwatch:/var/log $ dig weatherlive.info -p 5335
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> weatherlive.info -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39283
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
unbound config
harden-dnssec-stripped: yes
forward-tls-upstream: yes
forward-addr: 45.90.28.0#xxx.dns1.nextdns.io
forward-addr: 45.90.30.0#xxx.dns2.nextdns.io
Context
The text was updated successfully, but these errors were encountered: