> Can you try with unbound having direct > unfiltered port 53 to the internet?
Yes, that was my scenario: public IP with no filter (I'm going to enable iptables later) trying to discover the solution. Like Anand said, I misconfigured "do-tcp: no" and that was the reason of .org resolution failing. Thanks again :-D Em seg, 10 de set de 2018 às 16:39, Paulo Roberto Tomasi <[email protected]> escreveu: > Thank you very much! > > Now https://www.rootcanary.org/test.html shows me green padlocks. > > :-D > > Em seg, 10 de set de 2018 às 16:26, Anand Buddhdev <[email protected]> > escreveu: > >> On 10/09/2018 21:45, Paulo Roberto Tomasi via Unbound-users wrote: >> >> Hi Paulo, >> >> > do-tcp: no >> >> Don't disable TCP. TCP is *required* for proper operation of DNS, >> especially if you want to do DNSSEC validation. Many of the signed >> responses can be large. For example, the DNSKEY response for .ORG is >> 1625 bytes, and sometimes TCP is required in order to retrieve such >> large responses. Disabling TCP can cause DNSSEC validation to fail. >> >> Regards, >> Anand >> >
