Maintained by: NLnet Labs

wildcard dnssec test fails

Sebastian Schmidt
Thu Dec 14 10:19:16 CET 2017


Hi Paul,

> Is your unbound configured to use another DNS as forwarder?

Yes, to nsd for opennic TLDs which to my understanding should not impact this query.

Here is the config file:

# This file is managed by Ansible.
#
# template: /Users/seb/git/dns-resolver/required-roles/publicarray.unbound/templates/unbound.conf
# date: 2017-12-04 23:59:52
#
remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
server:
    num-threads: 1
    msg-cache-slabs: 1
    rrset-cache-slabs: 1
    key-cache-slabs: 1
    infra-cache-slabs: 1

    msg-cache-size: 72m
    rrset-cache-size: 144m
    key-cache-size: 72m
    neg-cache-size: 36m

    domain-insecure: "dns.opennic.glue"
    domain-insecure: "bbs"
    domain-insecure: "bit"
    domain-insecure: "chan"
    domain-insecure: "cyb"
    domain-insecure: "dyn"
    domain-insecure: "free"
    domain-insecure: "fur"
    domain-insecure: "geek"
    domain-insecure: "gopher"
    domain-insecure: "indy"
    domain-insecure: "libre"
    domain-insecure: "neo"
    domain-insecure: "null"
    domain-insecure: "o"
    domain-insecure: "opennic.glue"
    domain-insecure: "oss"
    domain-insecure: "oz"
    domain-insecure: "parody"
    domain-insecure: "pirate"
    domain-insecure: "glue"
    domain-insecure: "baza"
    domain-insecure: "coin"
    domain-insecure: "emc"
    domain-insecure: "lib"
    domain-insecure: "ku"
    domain-insecure: "te"
    domain-insecure: "ti"
    domain-insecure: "uu"

    num-queries-per-thread: 2048
    local-zone: example. static
    local-zone: local. static
    local-zone: i2p. static
    local-zone: home. static
    local-zone: zghjccbob3n0. static
    local-zone: dhcp. static
    local-zone: lan. static
    local-zone: localdomain. static
    local-zone: ip. static
    local-zone: internal. static
    local-zone: openstacklocal. static
    local-zone: dlink. static
    local-zone: gw==. static
    local-zone: gateway. static
    local-zone: corp. static
    local-zone: workgroup. static
    local-zone: belkin. static
    local-zone: davolink. static
    local-zone: z. static
    local-zone: domain. static
    local-zone: virtualmin. static
    local-zone: 2.dnscrypt-cert.dns refuse
    outgoing-range: 4096
    statistics-cumulative: no
    auto-trust-anchor-file: root.key
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    ratelimit: 200
    ssl-service-pem: /usr/local/etc/unbound/certificate.pem
    minimal-responses: yes
    log-time-ascii: yes
    do-not-query-localhost: no
    hide-identity: yes
    incoming-num-tcp: 200
    infra-host-ttl: 3600
    ssl-service-key: /usr/local/etc/unbound/private.key
    chroot: /usr/local/etc/unbound
    qname-minimisation: yes
    statistics-interval: 0
    port: 56
    val-log-level: 1
    use-syslog: yes
    ssl-port: 853
    hide-trustanchor: yes
    infra-cache-numhosts: 50000
    pidfile: unbound.pid
    ip-ratelimit: 100
    username: unbound
    do-not-query-address: 10.0.0.0/8
    do-not-query-address: 172.16.0.0/12
    do-not-query-address: 192.168.0.0/16
    serve-expired: yes
    access-control: 0.0.0.0/0 allow
    access-control: ::/0 allow
    hide-version: yes
    unwanted-reply-threshold: 10000000
    udp-upstream-without-downstream: yes
    root-hints: root.hints
    interface: 127.0.0.1
    interface: ::1
    interface: 0.0.0.0 at 853
    interface: ::0 at 853
    logfile: unbound.log
    prefetch-key: yes
    cache-max-ttl: 86400
    verbosity: 0
    neg-cache-size: 25m
    cache-min-ttl: 300
    prefetch: yes
    directory: /usr/local/etc/unbound
    rrset-roundrobin: yes
    extended-statistics: yes
    jostle-timeout: 325
stub-zone:
    name: "dns.opennic.glue"
    stub-addr: "127.0.0.1 at 57"   # NSD Authorative Slave DNS server
stub-zone:
    name: "bbs"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "bit"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "chan"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "cyb"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "dyn"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "free"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "fur"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "geek"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "gopher"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "indy"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "libre"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "neo"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "null"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "o"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "opennic.glue"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "oss"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "oz"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "parody"
    stub-addr: "127.0.0.1 at 57"
stub-zone:
    name: "pirate"
    stub-addr: "127.0.0.1 at 57"
# OpenNIC Peers:
stub-zone:
    name: "baza"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "coin"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "emc"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "lib"
    stub-host: "seed1.emercoin.com"
    stub-host: "seed2.emercoin.com"
stub-zone:
    name: "ku"
    stub-addr: "127.0.0.1 at 57"
    stub-addr: "5.45.96.220"    # ns1.new-nations.ku
    stub-addr: "185.82.22.133"  # ns2.new-nations.ku
stub-zone:
    name: "te"
    stub-addr: "127.0.0.1 at 57"
    stub-addr: "5.45.96.220"    # ns1.new-nations.te
    stub-addr: "185.82.22.133"  # ns2.new-nations.te
stub-zone:
    name: "ti"
    stub-addr: "127.0.0.1 at 57"
    stub-addr: "5.45.96.220"    # ns1.new-nations.ti
    stub-addr: "185.82.22.133"  # ns2.new-nations.ti
stub-zone:
    name: "uu"
    stub-addr: "127.0.0.1 at 57"
    stub-addr: "5.45.96.220"    # ns1.new-nations.uu
    stub-addr: "185.82.22.133"  # ns2.new-nations.uu

Regards

Sebastian





        
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20171214/c3d5db68/attachment.html>