What is the reason for this DNSSEC validation failure of dnsviz.net?

Posted by grifferz on Server Fault See other posts from Server Fault or by grifferz
Published on 2012-07-07T11:17:13Z Indexed on 2012/07/07 21:17 UTC
Read the original article Hit count: 218

Filed under:

dnssec

|

unbound

On trying to resolve dnsviz.net from a host using an Unbound resolver that is configured to use DNSSEC validation, the result is "no servers could be reached":

$ dig -t soa dnsviz.net
; <<>> DiG 9.6-ESV-R4 <<>> -t soa dnsviz.net
;; global options: +cmd
;; connection timed out; no servers could be reached

Nothing is logged by Unbound to suggest why this is the case.

Here is the /etc/unbound/unbound.conf:

server:
    verbosity: 1
    interface: 192.168.0.8
    interface: 127.0.0.1
    interface: ::0
    access-control: 0.0.0.0/0      refuse
    access-control: ::0/0          refuse
    access-control: 127.0.0.0/8    allow_snoop
    access-control: 192.168.0.0/16 allow_snoop
    chroot: ""
    auto-trust-anchor-file: "/etc/unbound/root.key"
    val-log-level: 2
python:
remote-control:
    control-enable: yes

If I add:

module-config: "iterator"

(thus disabling DNSSEC validation) then I am able to resolve this host normally.

The domain and its DNSSEC check out fine according to http://dnscheck.iis.se/ so there must be something wrong with my resolver configuration.

What is it and how do I go about debugging that?

© Server Fault or respective owner

Related posts about dnssec

DNSSEC - Ad Flag not activated

as seen on Server Fault - Search for 'Server Fault'
Hi all, I have some doubts regarding DNSSEC. I have one server acting as an Authoritative Name Server and another one as a Cache/Resolver. I'm using Bind 9.7.1-P2 and these are my configuration files: Named.conf (Authoritative Server) // Opciones de configuracion del servidor include "/etc/rndc… >>> More
How to find domain registrar and DNS hosting with good DNSSEC support?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
Simplified problem I want to buy a domain and make a website that is fully secured with DNSSEC. Background I've been hearing about the insecurity of DNS for years. I've watched all of the talks by Dan Kaminsky and others from DNS exploits to The future of DNS Security Panel. I knew that using DNS… >>> More
DNSCurve vs DNSSEC

as seen on Server Fault - Search for 'Server Fault'
Can someone informed, please give a lengthy reply about the differences and advantages/disadvantages of both approaches? I am not a DNS expert, not a programmer. I have a decent basic understanding of DNS, and enough knowledge to understand how things like the kaminsky bug work. From what I understand… >>> More
DNSSEC - What doesn't it cover?

as seen on Server Fault - Search for 'Server Fault'
I'm currently revising for an exam to do with DNS/DNSSEC. While I know DNSSEC provides various security enhancements for DNS, I would like to dive a bit deeper(for my own thirst for knowledge!) and would like to know what is still problematic security wise even after DNSSEC is employed? After all… >>> More
Debian DNSSEC - howto secure a domain?

as seen on Server Fault - Search for 'Server Fault'
I have a beginner question about DNSSEC. I have much experience with TLS and cryptography-stuff and would like to try out this new technology. I have googled very much about this but I haven't found useful information for me. I think one confusion in information gathering is that "Debian howto DNSSEC… >>> More

Related posts about unbound

Analyst's Corner: "Portals Unbound"

as seen on Oracle Technology Network - Search for 'Oracle Technology Network'
Portals enable an evolving web of social interactions to boost productivity. >>> More
What is the reason for this DNSSEC validation failure of dnsviz.net?

as seen on Server Fault - Search for 'Server Fault'
On trying to resolve dnsviz.net from a host using an Unbound resolver that is configured to use DNSSEC validation, the result is "no servers could be reached": $ dig -t soa dnsviz.net ; <<>> DiG 9.6-ESV-R4 <<>> -t soa dnsviz.net ;; global options: +cmd ;; connection timed… >>> More
How can I create a Multiple Value Combo box on an Unbound Form

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi I need your help on MS Access 2007. I have a big problem with my MS Access Unbound Form. How can I create a combo box i do not want bound to a table, show a multiple value List? The Combo is named Sector and want these values to be selected in Multiples 9Which should be possible in Access 2007)… >>> More
Linking indivuidal queries in a unbound listbox in ACCESS 2007

as seen on Stack Overflow - Search for 'Stack Overflow'
I have created a unbound listbox. I have the box showing a list of queries i want the use to be able to select. My problem is I don't understand how to get the submit button to select the currently selected query and run it. So how do I link the submit button to the listbox and have each item in… >>> More
how to sort Gridview rows by a unbound Template column

as seen on Stack Overflow - Search for 'Stack Overflow'
i want to sort my Gridview rows by a template column that is not bound to any database field. This template coulmn just has a label whose text i set in code depending on a value in a different column that is databound. So am stuck on how to set its sortExpression since its not linked to an column. >>> More