Maintained by: NLnet Labs

local stubs not served when internet down

A. Schulze
Tue Jun 21 23:34:19 CEST 2016



Am 21.06.2016 um 19:23 schrieb Daisuke HIGASHI via Unbound-users:
>   I guess that your unbound resolver is set to do DNSSEC validation.
>
>   Unbound tries to verify chain of trust from root (.) to the resolving domain,
> even if the domain is a stub/forwarder zone. Obviously the validation fails
> when unbound can't reach root servers (or TLD servers) due to network outage.
sounds plausible.

>   Possible workaround is to set negative trust anchor
> (domain-insecure) for the stub zone like this:
>
>    server:
>      auto-trust-anchor-file: "root.key" # DNSSEC validation enabled
>      domain-insecure: "mydummylocaldomain.com"
>    stub-zone:
>      name: "mydummylocaldomain.com"
>      stub-addr: 127.0.0.1 at 54

Even operating a root zone mirror (rfc7706) wouldn't help because second level domains could not be reached.
So if a network like to keep internal/own services running DNSSEC must be disabled (at all or by setting negative trust anchors)

Consequence to me: using DNSSEC *require* connectivity.
Am I right?

Andreas