DNSSEC between 2 providers
-
Hi Guys,
Recently I ran into the following concerning DNSSEC. Someone asked me, if I could help him, as he could not access a certain website and when he tried to access the website not using his ISP there was no problem accessing this website. After some research, ruling out pfBlockerNG I analyzed the /var/log/pfblockerng/unified.log and found a ServFail, something like below:
DNS-reply,Dec 1 11:11:34,resolver,DNSKEY,DNSKEY,Unk,websitewewanttovisit.com,127.0.0.1,ServFail,unk
I solved his problem by adding a custom option in the DNS Resolver of pfS to work around a broken chain of trust for this website.
server: domain-insecure: websitewewanttovisit.com
How is it possible that we both use Unbound with pfSense and near to the same config, but I do not experience a DNSSEC problem for the same website as the person in question. The only thing we differ is the ISP.
Thanks for any help/explanation in advance,
Cheers Qinn