Unbound(8) caching resolver no workie on fresh install :-(

[Baho Utot]

On 10/12/2017 12:58 PM, Ronald F. Guilmette wrote:
> In message <CA+4G5KY727cJ=Lp-hU77DH03d+Kw9iHD9cpBUqT24h7jWDPYLw at mail.gmail.com>
> Erwan Legrand <freebsd at erwanlegrand.com> wrote:
>
>> On Thu, Oct 12, 2017 at 6:57 AM, Ronald F. Guilmette
>> <rfg at tristatelogic.com> wrote:
>>> After the install finished and I booted the new system, I immediately
>>> got some console errors indicating that the various default NTP servers
>>> (I also enabled NTP) were not resolving. :-(
>> This could happen if you forward queries to servers which strip DNSSEC
>> signatures. If that is the case, you have two options: either you stop
>> forwarding to these servers or your disable the DNSSEC support in
>> Unbound.
> OK, this is a little bit confusing to me, so please bear with me...
>
> My *router* (Linksys E4200) has been configured to tell DHCP clients
> to use the two public name servers of OpenDNS, i.e. 208.67.222.222
> and 208.67.220.220.
>
> However I'm unclear on what, if anything, this ha to do with the Unbound(8)
> caching resolver.
>
> During this (fresh) install, I -never- explicitly selected any option that
> would obcviously hav the effect of telling unbound to forward/route all
> of its DNS queries through any other specific name servers).  So why on
> earth would it be doing so?

Because the base system uses unbound as the resolver.

>
> I mean I -thought- that this was (mostly) the whole point of running a
> local caching resolver, i.e. that *it* would do all of the DNS lookups
> itself, traversing/descending its way, as necessary, down from the root
> zone servers until it found what it was looking for.
>
> I don't know if the OpenDNS server strip DNSSEC stuff or not, but again,
> I don't see why Unbound(8) should even be using those servers anyway.
> Just because my router is giving those two specific IPv4 addresses to
> each of its DHCP clients, that doesn't mean that any of those clients
> are in any way forced to use them.  And I don't see why Unbound(8) would
> be doing so.
>
> If it isn't, and if unbound is, as I believed, traversing the DNS tree itself,
> starting from the root each time, then there is nobody and nothing between
> it and the authoritative servers for whatever it happens to be looking
> for -- thus, no filtering of DNSSEC, and thus, the resolutions failures
> I described are still mysterious... to me anyway.
>
> What am I missing?
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"