Date: Thu, 12 Oct 2017 17:31:32 -0400 From: Baho Utot <baho-utot@columbus.rr.com> To: freebsd-questions@freebsd.org Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( Message-ID: <b1f2d83e-d09f-42ad-f03d-26b6995c141f@columbus.rr.com> In-Reply-To: <4172.1507827505@segfault.tristatelogic.com> References: <4172.1507827505@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/12/2017 12:58 PM, Ronald F. Guilmette wrote: > In message <CA+4G5KY727cJ=Lp-hU77DH03d+Kw9iHD9cpBUqT24h7jWDPYLw@mail.gmail.com> > Erwan Legrand <freebsd@erwanlegrand.com> wrote: > >> On Thu, Oct 12, 2017 at 6:57 AM, Ronald F. Guilmette >> <rfg@tristatelogic.com> wrote: >>> After the install finished and I booted the new system, I immediately >>> got some console errors indicating that the various default NTP servers >>> (I also enabled NTP) were not resolving. :-( >> This could happen if you forward queries to servers which strip DNSSEC >> signatures. If that is the case, you have two options: either you stop >> forwarding to these servers or your disable the DNSSEC support in >> Unbound. > OK, this is a little bit confusing to me, so please bear with me... > > My *router* (Linksys E4200) has been configured to tell DHCP clients > to use the two public name servers of OpenDNS, i.e. 208.67.222.222 > and 208.67.220.220. > > However I'm unclear on what, if anything, this ha to do with the Unbound(8) > caching resolver. > > During this (fresh) install, I -never- explicitly selected any option that > would obcviously hav the effect of telling unbound to forward/route all > of its DNS queries through any other specific name servers). So why on > earth would it be doing so? Because the base system uses unbound as the resolver. > > I mean I -thought- that this was (mostly) the whole point of running a > local caching resolver, i.e. that *it* would do all of the DNS lookups > itself, traversing/descending its way, as necessary, down from the root > zone servers until it found what it was looking for. > > I don't know if the OpenDNS server strip DNSSEC stuff or not, but again, > I don't see why Unbound(8) should even be using those servers anyway. > Just because my router is giving those two specific IPv4 addresses to > each of its DHCP clients, that doesn't mean that any of those clients > are in any way forced to use them. And I don't see why Unbound(8) would > be doing so. > > If it isn't, and if unbound is, as I believed, traversing the DNS tree itself, > starting from the root each time, then there is nobody and nothing between > it and the authoritative servers for whatever it happens to be looking > for -- thus, no filtering of DNSSEC, and thus, the resolutions failures > I described are still mysterious... to me anyway. > > What am I missing? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b1f2d83e-d09f-42ad-f03d-26b6995c141f>