Unbound(8) caching resolver no workie on fresh install :-(

Ronald F. Guilmette rfg at tristatelogic.com
Thu Oct 12 16:58:26 UTC 2017

In message <CA+4G5KY727cJ=Lp-hU77DH03d+Kw9iHD9cpBUqT24h7jWDPYLw at mail.gmail.com>
Erwan Legrand <freebsd at erwanlegrand.com> wrote:

>On Thu, Oct 12, 2017 at 6:57 AM, Ronald F. Guilmette
><rfg at tristatelogic.com> wrote:
>> After the install finished and I booted the new system, I immediately
>> got some console errors indicating that the various default NTP servers
>> (I also enabled NTP) were not resolving. :-(
>This could happen if you forward queries to servers which strip DNSSEC
>signatures. If that is the case, you have two options: either you stop
>forwarding to these servers or your disable the DNSSEC support in

OK, this is a little bit confusing to me, so please bear with me...

My *router* (Linksys E4200) has been configured to tell DHCP clients
to use the two public name servers of OpenDNS, i.e.

However I'm unclear on what, if anything, this ha to do with the Unbound(8)
caching resolver.

During this (fresh) install, I -never- explicitly selected any option that
would obcviously hav the effect of telling unbound to forward/route all
of its DNS queries through any other specific name servers).  So why on
earth would it be doing so?

I mean I -thought- that this was (mostly) the whole point of running a
local caching resolver, i.e. that *it* would do all of the DNS lookups
itself, traversing/descending its way, as necessary, down from the root
zone servers until it found what it was looking for.

I don't know if the OpenDNS server strip DNSSEC stuff or not, but again,
I don't see why Unbound(8) should even be using those servers anyway.
Just because my router is giving those two specific IPv4 addresses to
each of its DHCP clients, that doesn't mean that any of those clients
are in any way forced to use them.  And I don't see why Unbound(8) would
be doing so.

If it isn't, and if unbound is, as I believed, traversing the DNS tree itself,
starting from the root each time, then there is nobody and nothing between
it and the authoritative servers for whatever it happens to be looking
for -- thus, no filtering of DNSSEC, and thus, the resolutions failures
I described are still mysterious... to me anyway.

What am I missing?

More information about the freebsd-questions mailing list