Am 21.06.2016 um 19:23 schrieb Daisuke HIGASHI via Unbound-users:
I guess that your unbound resolver is set to do DNSSEC validation.
Unbound tries to verify chain of trust from root (.) to the resolving domain,
even if the domain is a stub/forwarder zone. Obviously the validation fails
when unbound can't reach root servers (or TLD servers) due to network outage.
sounds plausible.
Possible workaround is to set negative trust anchor
(domain-insecure) for the stub zone like this:
server:
auto-trust-anchor-file: "root.key" # DNSSEC validation enabled
domain-insecure: "mydummylocaldomain.com"
stub-zone:
name: "mydummylocaldomain.com"
stub-addr: 127.0.0.1@54
Even operating a root zone mirror (rfc7706) wouldn't help because second level
domains could not be reached.
So if a network like to keep internal/own services running DNSSEC must be
disabled (at all or by setting negative trust anchors)
Consequence to me: using DNSSEC *require* connectivity.
Am I right?
Andreas
