From owner-freebsd-questions@freebsd.org Thu Oct 12 21:31:26 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89163E3552C for ; Thu, 12 Oct 2017 21:31:26 +0000 (UTC) (envelope-from baho-utot@columbus.rr.com) Received: from cdptpa-cmomta01.email.rr.com (cdptpa-outbound-snat.email.rr.com [107.14.166.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 578E7681A9 for ; Thu, 12 Oct 2017 21:31:25 +0000 (UTC) (envelope-from baho-utot@columbus.rr.com) Received: from raspberrypi.bildanet.com ([65.186.81.207]) by cmsmtp with ESMTP id 2l3GeZ7MtH48O2l3JeJC9P; Thu, 12 Oct 2017 21:30:01 +0000 Received: from [192.168.1.143] by raspberrypi.bildanet.com with esmtp (Exim 4.84) (envelope-from ) id 1e2l4W-0001RT-8s for freebsd-questions@freebsd.org; Thu, 12 Oct 2017 21:31:16 +0000 Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( To: freebsd-questions@freebsd.org References: <4172.1507827505@segfault.tristatelogic.com> From: Baho Utot Message-ID: Date: Thu, 12 Oct 2017 17:31:32 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <4172.1507827505@segfault.tristatelogic.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-CMAE-Envelope: MS4wfAJVLSEjN0xUJVaiJKAq38ogvBQ6nrxPs+NJESCcKYM67RNIt7kYcgFs/4s2AcA5sN8w8wH1qwX5Z+C/tkSIpRRuajg9bFUD+6qP9GVTjRcznw2SUrcz xtNgidpbSIkPlKyYIzZW381JfPjLKMsmD/f3WFnkr+9xLcUL6tAnGIdNU0tQ3SDQsqwKiZeiPnHbO9sKuo2Ce/7dAv6srUc+oak= X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2017 21:31:26 -0000 On 10/12/2017 12:58 PM, Ronald F. Guilmette wrote: > In message > Erwan Legrand wrote: > >> On Thu, Oct 12, 2017 at 6:57 AM, Ronald F. Guilmette >> wrote: >>> After the install finished and I booted the new system, I immediately >>> got some console errors indicating that the various default NTP servers >>> (I also enabled NTP) were not resolving. :-( >> This could happen if you forward queries to servers which strip DNSSEC >> signatures. If that is the case, you have two options: either you stop >> forwarding to these servers or your disable the DNSSEC support in >> Unbound. > OK, this is a little bit confusing to me, so please bear with me... > > My *router* (Linksys E4200) has been configured to tell DHCP clients > to use the two public name servers of OpenDNS, i.e. 208.67.222.222 > and 208.67.220.220. > > However I'm unclear on what, if anything, this ha to do with the Unbound(8) > caching resolver. > > During this (fresh) install, I -never- explicitly selected any option that > would obcviously hav the effect of telling unbound to forward/route all > of its DNS queries through any other specific name servers). So why on > earth would it be doing so? Because the base system uses unbound as the resolver. > > I mean I -thought- that this was (mostly) the whole point of running a > local caching resolver, i.e. that *it* would do all of the DNS lookups > itself, traversing/descending its way, as necessary, down from the root > zone servers until it found what it was looking for. > > I don't know if the OpenDNS server strip DNSSEC stuff or not, but again, > I don't see why Unbound(8) should even be using those servers anyway. > Just because my router is giving those two specific IPv4 addresses to > each of its DHCP clients, that doesn't mean that any of those clients > are in any way forced to use them. And I don't see why Unbound(8) would > be doing so. > > If it isn't, and if unbound is, as I believed, traversing the DNS tree itself, > starting from the root each time, then there is nobody and nothing between > it and the authoritative servers for whatever it happens to be looking > for -- thus, no filtering of DNSSEC, and thus, the resolutions failures > I described are still mysterious... to me anyway. > > What am I missing? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"