Why must each nameserver in LAN support DNSSEC when using local_unbound?

sdf

Active Member

Reaction score: 3
Messages: 170

Hello,

If any of the listed nameservers do not support DNSSEC, local DNS resolution will fail. Be sure to test each nameserver and remove any that fail the test.
Why?

Thanks.
 
OP
OP
S

sdf

Active Member

Reaction score: 3
Messages: 170

But why local DNS resolution will fail after DNSSEC is enabled?
 

rigoletto@

Daemon
Developer

Reaction score: 890
Messages: 1,851

How have you configured your local stuff?

[EDIT]

If you have just a few machines you can do it inside the unbound.conf(5).

Code:
local-zone: "example.local." transparent
    local-data: "router.example.local IN A 10.0.0.1"
    
local-zone: "0.10.in-addr.arpa." static
    local-data: "1.0.0.10.in-addr.arpa IN PTR router.example.local"
 

ShelLuser

Son of Beastie

Reaction score: 1,702
Messages: 3,514

Local servers don't need to have DNSSEC enabled, it all depends on how you configured your resolver and what domains you're trying to access.
 
OP
OP
S

sdf

Active Member

Reaction score: 3
Messages: 170

Single vm machine, no DNS server, and if DNSSEC is not disable, the domain name will not be resolved.
 

rigoletto@

Daemon
Developer

Reaction score: 890
Messages: 1,851

sdf

It is hard to get what is going on in there with the information you provided. Can you describe the entire situation, including how that domain was configured and if that is a registered domain or a private one ( something.local )?
 
OP
OP
S

sdf

Active Member

Reaction score: 3
Messages: 170

One virtual machine

/etc/resolv.conf
search example.com
nameserver 192.168.1.1 # This is the Lan interface of a wireless router.

Then service local_unbound onestart.
No configuration of unbound.conf has been modified.


# drill -S freebsd.org @192.168.1.1
:: Number of trusted keys: 2
:: Chasing: freebsd.org. A

DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
:: Chase failed.

# ping -c1 freebsd.org
ping: cannot resolv freebsd.org: Host name lookup failure
 

hruodr

Well-Known Member

Reaction score: 40
Messages: 296

Was an answer found to this question?

I have an installation that fails and other that success with the same server on the home router.

I think I need a certificate in the computer in which fails.

DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
:: Chase failed.
 
Top