Why must each nameserver in LAN support DNSSEC when using local_unbound?

Hello,

If any of the listed nameservers do not support DNSSEC, local DNS resolution will fail. Be sure to test each nameserver and remove any that fail the test.

Why?

Thanks.
 
How have you configured your local stuff?

[EDIT]

If you have just a few machines you can do it inside the unbound.conf(5).

Code:
local-zone: "example.local." transparent
    local-data: "router.example.local IN A 10.0.0.1"
    
local-zone: "0.10.in-addr.arpa." static
    local-data: "1.0.0.10.in-addr.arpa IN PTR router.example.local"
 
Local servers don't need to have DNSSEC enabled, it all depends on how you configured your resolver and what domains you're trying to access.
 
Single vm machine, no DNS server, and if DNSSEC is not disable, the domain name will not be resolved.
 
sdf

It is hard to get what is going on in there with the information you provided. Can you describe the entire situation, including how that domain was configured and if that is a registered domain or a private one ( something.local )?
 
One virtual machine

/etc/resolv.conf
search example.com
nameserver 192.168.1.1 # This is the Lan interface of a wireless router.

Then service local_unbound onestart.
No configuration of unbound.conf has been modified.


# drill -S freebsd.org @192.168.1.1
:: Number of trusted keys: 2
:: Chasing: freebsd.org. A

DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
:: Chase failed.

# ping -c1 freebsd.org
ping: cannot resolv freebsd.org: Host name lookup failure
 
Was an answer found to this question?

I have an installation that fails and other that success with the same server on the home router.

I think I need a certificate in the computer in which fails.

DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
:: Chase failed.
 
Back
Top