Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - michael_g

Pages1

General Discussion / Re: DNSSEC -> SERVFAIL

September 13, 2021, 03:37:53 PM

Quote from: sorano on September 13, 2021, 02:34:55 PM
Yeah looks like you may have to strict DNSSEC settings since Netgear.com does not even implement DNSSEC.

Hmm, I just clicked in the UI "Enable DNSSEC Support". No manual tweaks in a configfile.

How can I find out what happens, when this checkbox is enabled? In the Section "Unbound DNS/Log File" there is no info regarding netgear.com .

Why are other domains without DNSSEC working? I'm puzzled.

General Discussion / DNSSEC -> SERVFAIL

September 13, 2021, 11:58:01 AM

Hi,

I'm using OPNsense OPNsense 21.7.2_1-amd64 with actual patches. Unbound is running as DNS-Server for the internal LAN. When I enable DNSSEC via UI (Services/Unbound DNS/General, Checkbox "Enable DNSSEC Support") I won't get name resolution for netgear.com.

Code Select

mic@WORKSTATION:~$ nslookup
> server 192.168.35.1
Default server: 192.168.35.1
Address: 192.168.35.1#53
> netgear.com
Server:		192.168.35.1
Address:	192.168.35.1#53

Non-authoritative answer:
Name:	netgear.com
Address: 13.248.140.194
Name:	netgear.com
Address: 76.223.14.31
> netgear.com
Server:		192.168.35.1
Address:	192.168.35.1#53

** server can't find netgear.com: SERVFAIL
>

First test in the upper sample is with disabled DNSSEC, second one with DNSSEC enabled.

Other domains work without problems.

So the question is: is it netgear.com doing things wrong, or is the problem on my side?

Thx for any help, Michael

German - Deutsch / Re: DNSSEC -> SERVFAIL

September 09, 2021, 12:09:14 PM

Hallo Heiko,

Quote from: hsiewert on September 09, 2021, 11:22:50 AM
Wie hast du denn den unbound eingestellt ?

Über das UI: Services/Unbound DNS/General, Checkbox "Enable DNSSEC Support".

Michael

German - Deutsch / DNSSEC -> SERVFAIL

September 09, 2021, 11:00:54 AM

Hallo,

ich benutze OPNsense OPNsense 21.7.2_1-amd64 mit aktuellen Patches.
Ich nutze Unbound als DNS-Server für meine Clients. Wenn ich in der Konfiguration DNSSEC aktiviert habe, funktioniert die Namensauflösung für netgear.com nicht.

Code Select

mic@WORKSTATION:~$ nslookup
> server 192.168.35.1
Default server: 192.168.35.1
Address: 192.168.35.1#53
> netgear.com
Server:		192.168.35.1
Address:	192.168.35.1#53

Non-authoritative answer:
Name:	netgear.com
Address: 13.248.140.194
Name:	netgear.com
Address: 76.223.14.31
> netgear.com
Server:		192.168.35.1
Address:	192.168.35.1#53

** server can't find netgear.com: SERVFAIL
>

Der erste Aufruf ist mit deaktiviertem DNSSEC, der zweite Aufruf mit aktiviertem DNSSEC. Andere Domains funktionieren klaglos.

Die Frage, die sich mir stellt: hat netgear.com etwas falsch gemacht, ist DNSSEC broken, hat Unbound ein Problem? Was ist der nächste Schritt in der Analyse?

Bin für jeden guten Tip dankbar!

Michael

Pages1