Unbound + DNSSEC + Domain Overrides



  • Hi guys,

    just noticed that if you have a domain override for some internal domain ("example.local") and DNSSEC enabled at the same time the unbound server does respond with SERVFAIL.

    You have to include

    
    server:
    private-domain:"example.local"
    domain-insecure:"example.local"
    
    

    for every domain.

    This is correct, because these domains are not validated by DNSSEC. But this should happen automatically if you add a domain override (or a checkbox where you can control it) in my opinion.

    Greets



  • Just want to say thank you, this saved me some headaches and I agree, this should be added automatically, when enebling DNSSEC with domain overrides existing.


  • LAYER 8 Global Moderator

    How is what??

    This would only fail if the dnssec on that domain is not valid.. If it does not have any dnssec enabled than it would work just fine.  So yeah if your pointing an override where a domain has a broken dnssec setup then yeah it would give you servfail.

    If what your saying was true then unbound wouldn't work for any domain that is not dnssec enabled..



  • It's not required to disable DNSSEC for forwarded domains, so it would be inappropriate to do so automatically. At some point I might add a checkbox to the domain override screen to add it automatically, disabled by default.



  • @cmb:

    It's not required to disable DNSSEC for forwarded domains, so it would be inappropriate to do so automatically. At some point I might add a checkbox to the domain override screen to add it automatically, disabled by default.

    I'm gonna check that again.

    "example.local" was some internal Windows DNS Server for that Active Directory domain for me. I don't think that there was/is DNSSEC enabled.



  • I know this is old but...

    @azekiel said in Unbound + DNSSEC + Domain Overrides:

    Hi guys,

    just noticed that if you have a domain override for some internal domain ("example.local") and DNSSEC enabled at the same time the unbound server does respond with SERVFAIL.

    You have to include

    
    server:
    private-domain:"example.local"
    domain-insecure:"example.local"
    
    

    @azekiel said in Unbound + DNSSEC + Domain Overrides:

    @cmb:

    It's not required to disable DNSSEC for forwarded domains, so it would be inappropriate to do so automatically. At some point I might add a checkbox to the domain override screen to add it automatically, disabled by default.

    I'm gonna check that again.

    "example.local" was some internal Windows DNS Server for that Active Directory domain for me. I don't think that there was/is DNSSEC enabled.

    I JUST ran into this EXACT same problem on pfSense 2.4.4 p1.

    Also doing a Domain Override on a Windows AD Domain with NO DNSSEC setup on it once so ever, not a Broken DNSSEC, NO DNSSEC.

    Unbound kept replying SERVFAIL with no real explanation in the logs.

    Adding domain-insecure:"example.local" fixed mine as well.


  • LAYER 8 Netgate

    Using something like dig or drill can help diagnose this sort of problem. There is far more to diagnosing DNS issues than looking at unbound logs.