Re: local unbound resolver fails @ DANE TLSA lookups; ok with external NS ?

[Antonio Prado via Unbound-users]

On 10/6/22 6:33 PM, PGNet Dev via Unbound-users wrote:

seems it's my unbound config.

it is, because on my unbound I can get the non-existent domain reply just as quad8 and quad1.

any hints as to cause/cure for this failing dane/tlsa query? or where/how to dig further?

here is my 'working' unbound.conf
hope it helps
--
antonio

include: "/usr/local/etc/unbound/rpz/*.conf"
include: "/usr/local/etc/unbound/blacklists.d/*.conf"
include: "/usr/local/etc/unbound/shared.conf.d/*.conf"
server:
         verbosity: 1
        extended-statistics: yes
        num-threads: 1
        interface: 0.0.0.0
        interface: ::0
        interface: 0.0.0.0@443
        interface: ::0@443
        interface: 0.0.0.0@853
        interface: ::0@853
        port: 53
        outgoing-range: 4096
        outgoing-num-tcp: 128
        incoming-num-tcp: 128
        so-reuseport: no
        msg-cache-size: 128m
        msg-cache-slabs: 8
        num-queries-per-thread: 1024
        rrset-cache-size: 16m
        rrset-cache-slabs: 16m
        cache-min-ttl: 15
        cache-max-ttl: 86400
        cache-max-negative-ttl: 300
        infra-cache-numhosts: 100000
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes
        access-control: 127.0.0.0/8 allow
        access-control: ::1 allow
        access-control: 0.0.0.0/0 deny
        access-control: ::/0 deny
        chroot: "/usr/local/etc/unbound"
        username: "unbound"
        directory: "/usr/local/etc/unbound"
        logfile: "/usr/local/etc/unbound/log/unbound.log"
        use-syslog: no
        log-time-ascii: yes
        log-queries: no
        log-replies: no
        pidfile: "/usr/local/etc/unbound/run/unbound.pid"
        root-hints: "/usr/local/etc/unbound/named.cache"
        hide-identity: yes
        hide-version: yes
        hide-trustanchor: no
        harden-short-bufsize: yes
        harden-large-queries: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-algo-downgrade: yes
        qname-minimisation: yes
        qname-minimisation-strict: yes
        aggressive-nsec: yes
        use-caps-for-id: yes
        private-address: 10.0.0.0/8
        private-address: 172.16.0.0/12
        private-address: 192.168.0.0/16
        private-address: 169.254.0.0/16
        private-address: fd00::/8
        private-address: fe80::/10
        private-address: ::ffff:0:0/96
        do-not-query-address: 127.0.0.1/8
        do-not-query-address: ::1
        do-not-query-localhost: yes
        prefetch: yes
        prefetch-key: yes
        rrset-roundrobin: yes
        minimal-responses: yes
        module-config: "respip validator iterator"
        auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
        trust-anchor-signaling: yes
        root-key-sentinel: yes
        val-clean-additional: yes
        serve-expired: no
        tls-service-key: "ns12-rec.as59715.net.key.pem"
        tls-service-pem: "ns12-rec.as59715.net.cert.pem"
        tls-port: 853
        https-port: 443
        ratelimit: 100
        ip-ratelimit: 100
python:
remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-interface: ::1
        control-port: 8953
        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

OpenPGP_signature
Description: OpenPGP digital signature