Hi,
I'm using OPNsense OPNsense 21.7.2_1-amd64 with actual patches. Unbound is running as DNS-Server for the internal LAN. When I enable DNSSEC via UI (Services/Unbound DNS/General, Checkbox "Enable DNSSEC Support") I won't get name resolution for netgear.com.
mic@WORKSTATION:~$ nslookup
> server 192.168.35.1
Default server: 192.168.35.1
Address: 192.168.35.1#53
> netgear.com
Server: 192.168.35.1
Address: 192.168.35.1#53
Non-authoritative answer:
Name: netgear.com
Address: 13.248.140.194
Name: netgear.com
Address: 76.223.14.31
> netgear.com
Server: 192.168.35.1
Address: 192.168.35.1#53
** server can't find netgear.com: SERVFAIL
>
First test in the upper sample is with disabled DNSSEC, second one with DNSSEC enabled.
Other domains work without problems.
So the question is: is it netgear.com doing things wrong, or is the problem on my side?
Thx for any help, Michael
Seems to be a problem with your setup?
nslookup netgear.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: netgear.com
Address: 13.248.140.194
Name: netgear.com
Address: 76.223.14.31
Yeah looks like you may have to strict DNSSEC settings since Netgear.com does not even implement DNSSEC.
https://dnssec-analyzer.verisignlabs.com/Netgear.com
Quote from: sorano on September 13, 2021, 02:34:55 PM
Yeah looks like you may have to strict DNSSEC settings since Netgear.com does not even implement DNSSEC.
Hmm, I just clicked in the UI "Enable DNSSEC Support". No manual tweaks in a configfile.
How can I find out what happens, when this checkbox is enabled? In the Section "Unbound DNS/Log File" there is no info regarding netgear.com .
Why are other domains without DNSSEC working? I'm puzzled.