DNSSEC -> SERVFAIL

[michael_g]

Hi,

I'm using OPNsense OPNsense 21.7.2_1-amd64 with actual patches. Unbound is running as DNS-Server for the internal LAN. When I enable DNSSEC via UI (Services/Unbound DNS/General, Checkbox "Enable DNSSEC Support") I won't get name resolution for netgear.com.

Code Select Expand

mic@WORKSTATION:~$ nslookup
> server 192.168.35.1
Default server: 192.168.35.1
Address: 192.168.35.1#53
> netgear.com
Server: 192.168.35.1
Address: 192.168.35.1#53

Non-authoritative answer:
Name: netgear.com
Address: 13.248.140.194
Name: netgear.com
Address: 76.223.14.31
> netgear.com
Server: 192.168.35.1
Address: 192.168.35.1#53

** server can't find netgear.com: SERVFAIL
>

First test in the upper sample is with disabled DNSSEC, second one with DNSSEC enabled.

Other domains work without problems.

So the question is: is it netgear.com doing things wrong, or is the problem on my side?

Thx for any help, Michael

[meschmesch]

Seems to be a problem with your setup?

Code Select Expand


nslookup netgear.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   netgear.com
Address: 13.248.140.194
Name:   netgear.com
Address: 76.223.14.31



[sorano]

Yeah looks like you may have to strict DNSSEC settings since Netgear.com does not even implement DNSSEC.

https://dnssec-analyzer.verisignlabs.com/Netgear.com

[michael_g]

Yeah looks like you may have to strict DNSSEC settings since Netgear.com does not even implement DNSSEC.

Hmm, I just clicked in the UI "Enable DNSSEC Support". No manual tweaks in a configfile.

How can I find out what happens, when this checkbox is enabled? In the Section "Unbound DNS/Log File" there is no info regarding netgear.com .

Why are other domains without DNSSEC working? I'm puzzled.