Solved Unbound fails to resolve some hostnames

I'm running a FreeBSD 10.1-RELEASE email server that uses unbound (from base system) as caching/forwarding DNS server.

/etc/resolv.conf points to 127.0.0.1, and unbound config forwards to DNS servers on my LAN. Config is default.

Almost any domain name will properly resolve:

Code:
# drill patpro.net @127.0.0.1 MX
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 51773
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 
;; QUESTION SECTION:
;; patpro.net.    IN    MX

;; ANSWER SECTION:
patpro.net.    55325    IN    MX    10 mail.patpro.net.
...

But for some domain names, it goes differently:

Code:
# drill dgfip.finances.gouv.fr MX
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 9622
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; dgfip.finances.gouv.fr.    IN    MX

;; ANSWER SECTION:

...

If I switch to my LAN DNS, I got an answer:

Code:
# drill dgfip.finances.gouv.fr @my.dns.tld MX
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 33036
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6 
;; QUESTION SECTION:
;; dgfip.finances.gouv.fr.    IN    MX

;; ANSWER SECTION:
dgfip.finances.gouv.FR.    13493    IN    MX    0 mail.dgfip.finances.gouv.fr.

...

Any hint?
 
Nevermind, I've switched to module "iterator", instead of default validator/iterator. Now it works.
 
The OP would have added module-config: "iterator" to the unbound.conf and restarted it. This has the effect of disabling DNSSEC validation which appears to have solved the problem that they had, but they really ought to have looked at the real reason for the problem which is probably that the domain they were trying to resolve had broken DNSSEC signatures, or far less likely had actually been hijacked by somebody else.
 
Top