Cannot resolve *.freebsd.org but everything else

[kodcode]

Most likely your router is blocking your DNS responses which are bigger than 512 bytes and when you query DNSSEC you didn't get any DNS response from the server because those responses are a lot bigger.
You can try the same using the DNS server that your ISP is providing you and verify if you can get the DNSSEC chain using drill -TD @IPaddress_of_ISP_DNS google.com.

Example:

Indeed, querying my ISP's DNS server with drill -TD @ISP_DNS_IP google.com did not resolve either.

I am still unclear why only *.freebsd.org did not resolve!?

PS Learning something new every day...

 

[VladiBG]

Because it's trying to verify the DNS using DNSSEC to be sure that the data is not tampered with. The DNS is not secure and it can be easy spoofed and you can be redirected to unofficial (phishing) site. That's important to trust your DNS server as your security depends on it.

DNSSEC – What Is It and Why Is It Important? - ICANN

www.icann.org

 

[kodcode]

Because it's trying to verify the DNS using DNSSEC to be sure that the data is not tampered with. The DNS is not secure and it can be easy spoofed and you can be redirected to unofficial (phishing) site. That's important to trust your DNS server as your security depends on it.

DNSSEC – What Is It and Why Is It Important? - ICANN

www.icann.org

I am right to assume that turning off DNSSEC in unbound would be an option in my case, since DNSSEC is either way not supported by my router? (With or without unbound running I am at the same security level due to my router)

 

[VladiBG]

It's better to test if the issue is in your router by connecting directly without it, or replace it with some different one.

 

[tux2bsd]

It's far more likely to be a local problem on his FreeBSD machine, if he can do the look up without unbound it won't be the router. If the FreeBSD machine is running pf (or other) allow UDP and TCP port 53.