From owner-freebsd-questions@freebsd.org Thu Oct 12 16:58:26 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB28DE2EEA9 for ; Thu, 12 Oct 2017 16:58:26 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id B254584055 for ; Thu, 12 Oct 2017 16:58:25 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 6361F3AF79 for ; Thu, 12 Oct 2017 09:58:25 -0700 (PDT) From: "Ronald F. Guilmette" To: FreeBSD Questions Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( In-Reply-To: Date: Thu, 12 Oct 2017 09:58:25 -0700 Message-ID: <4172.1507827505@segfault.tristatelogic.com> X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2017 16:58:26 -0000 In message Erwan Legrand wrote: >On Thu, Oct 12, 2017 at 6:57 AM, Ronald F. Guilmette > wrote: >> After the install finished and I booted the new system, I immediately >> got some console errors indicating that the various default NTP servers >> (I also enabled NTP) were not resolving. :-( > >This could happen if you forward queries to servers which strip DNSSEC >signatures. If that is the case, you have two options: either you stop >forwarding to these servers or your disable the DNSSEC support in >Unbound. OK, this is a little bit confusing to me, so please bear with me... My *router* (Linksys E4200) has been configured to tell DHCP clients to use the two public name servers of OpenDNS, i.e. 208.67.222.222 and 208.67.220.220. However I'm unclear on what, if anything, this ha to do with the Unbound(8) caching resolver. During this (fresh) install, I -never- explicitly selected any option that would obcviously hav the effect of telling unbound to forward/route all of its DNS queries through any other specific name servers). So why on earth would it be doing so? I mean I -thought- that this was (mostly) the whole point of running a local caching resolver, i.e. that *it* would do all of the DNS lookups itself, traversing/descending its way, as necessary, down from the root zone servers until it found what it was looking for. I don't know if the OpenDNS server strip DNSSEC stuff or not, but again, I don't see why Unbound(8) should even be using those servers anyway. Just because my router is giving those two specific IPv4 addresses to each of its DHCP clients, that doesn't mean that any of those clients are in any way forced to use them. And I don't see why Unbound(8) would be doing so. If it isn't, and if unbound is, as I believed, traversing the DNS tree itself, starting from the root each time, then there is nobody and nothing between it and the authoritative servers for whatever it happens to be looking for -- thus, no filtering of DNSSEC, and thus, the resolutions failures I described are still mysterious... to me anyway. What am I missing?