Maintained by: NLnet Labs

[Unbound-users] is not resolvable using DNSSEC resolver.

Paul Wouters
Tue Oct 11 17:45:37 CEST 2011

On Tue, 11 Oct 2011, Andreas Schulze wrote:

> I like to ask how to handle such problems on a productive resolver.
> If a domain is unresolvable, common reasons are
> - the remote site does not handle capitalisation correct.
> - dnssec is broken
> - a bug in unbound
> the first can only be fixed by the remote site. If they dont, the domain
> stays unresolvabel. Usually my user complain "at home it works!"
> Of cource: at home the do not use unbound ...

You can set use-caps-for-id: no
In fact, for Fedora and RHEL/EPEL I had to do this since GoDaddy broke the
caps draft a few months ago.

> A bug must be found and fixed. After that a new version mus be tested at
> the local site and productive systems must be updated.

Testing of a new unbound version or configuration can easilly be staged
though. If you want to keep configurations as much the same as you can,
then you can fix individual domain issues using explicit unbound-control
commands to override or feed/clean the cache.

> I suggest a lookuptable inside unbound to disable some functions makeing
> a domain unresolvable. Lookup key coud be a domain or a server. Lookup result
> could be a list of disables functions:
> - do not use capitalisation
> - do not use edns
> - do not use tcp
> - thread domain like unsigned
> The last one is implemented with the "domain-insecure" statement.
> But for all other problems I have no solution today.

The problem of those first three is that it is not "domain specific"
but "nameserver specific" and could involve the parent name server too.

With unbound 1.4.13, pretty much all EDNS issues are fixed, unless you
yourself are on a fragment dropping network, and even then you can
resolve this using edns-buffer-size: 1480