DNS Resolver with DNSSEC eanbled not resolving
-
I have unbound DNS in resolver mode and just came across a domain name for which its authoritative server does not seem to support DNSSEC. As a result clients do not receive the resolved IP address. Strangely, PFSense itself can resolve these queries just fine (via the DNS Lookup tool).
From dnschecker.org the name server for habr.com is ns1.habradns.net and the lack of RRSIG response indicates that it does not support DNSSEC.
Is there a fallback mechanism for such cases so as not to disable DNSSEC globally?
root@instance-2:~# dig +dnssec habr.com @8.8.8.8 ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec habr.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8211 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;habr.com. IN A ;; ANSWER SECTION: habr.com. 462 IN A 178.248.237.68 habr.com. 462 IN RRSIG A 13 2 3600 20211007000000 20210916000000 3055 habr.com. mtSk3l/0sYtKIj+liR8flK/PpCzw45FMvbDyPxWoWKdRzdENVh/9jdKi X/rYGtcu/gHqHCAwjaElHtd4ZbXs8w== ;; Query time: 0 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Sep 22 20:01:36 PDT 2021 ;; MSG SIZE rcvd: 157 root@instance-2:~# dig +dnssec habr.com @ns1.habradns.net. ; <<>> DiG 9.16.1-Ubuntu <<>> +dnssec habr.com @ns1.habradns.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13554 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;habr.com. IN A ;; ANSWER SECTION: habr.com. 3600 IN A 178.248.237.68 ;; Query time: 256 msec ;; SERVER: 178.248.233.33#53(178.248.233.33) ;; WHEN: Wed Sep 22 20:02:13 PDT 2021 ;; MSG SIZE rcvd: 53