I have something strange going on in Unbound since my last Ipfire update with core update 153.
For example I can’t resolve the ipfire.org domain but also other domains!
Here is the error message I have in the logs
...
Feb 9 23:54:53 myipfire unbound: [1731:0] info: validation failure <time-a.timefreq.bldrdoc.gov.
AAAA IN>: key for validation bldrdoc.gov. is marked as invalid
Feb 9 23:54:53 myipfire unbound: [1731:0] info: validation failure <time-b.timefreq.bldrdoc.gov.
AAAA IN>: key for validation bldrdoc.gov. is marked as invalid
...
Feb 9 23:58:13 myipfire unbound: [2596:0] info: validation failure <45.143.166.83.in-addr.arpa. PTR IN>: key for validation in-addr.arpa. is marked as invalid
Feb 9 23:58:14 myipfire unbound: [2596:0] info: validation failure <www.ipfire.org. A IN>: key for validation ipfire.org. is marked as invalid
...
Feb 9 23:55:49 myipfire unbound: [2596:0] info: validation failure <api.met.no. A IN>: No DNSKEY record from 103.247.36.9 for key met.no. while building chain of trust
Feb 9 23:55:49 myipfire unbound: [2596:0] info: validation failure <api.met.no. AAAA IN>: No DNSKEY record from 103.247.36.9 for key met.no. while building chain of trust
...
Feb 9 23:56:02 myipfire unbound: [2596:0] info: validation failure <195.195.97.37.in-addr.arpa. PTR IN>: key for validation in-addr.arpa. is marked as invalid
Feb 9 23:56:03 myipfire unbound: [2596:0] info: validation failure <44.143.166.83.in-addr.arpa. PTR IN>: No DNSKEY record from 172.14.15.16 for key in-addr.arpa. while
...
Feb 9 23:56:04 myipfire unbound: [2596:0] info: validation failure <www.ipfire.org. A IN>: No DNSKEY record from 103.247.37.9 for key ipfire.org. while building chain of trust
Feb 9 23:56:04 myipfire unbound: [2596:0] info: validation failure <ipfire.org. DNSKEY IN>: No DNSKEY record from 103.247.37.9 for key ipfire.org. while building chain of trust
...
I have Ipfire installed on 3 sites and I have the same problem on all 3 sites
Does anyone have the same worries ? Is there a bug with Unbound ?
I was finally able to have a little time to do the above test
With the Protocol for DNS queries field set to “TLS”, if I enter the DNS of Quad9…no problem, it works fine on these DNS.
On the other hand for the DNS of my DNS provider named DNSFilter, only UDP and TCP works !
look at my capture bellow
The problem is that if I disable Quad9’s DNS, I get the errors I described when I opened this post in the firewall log and the sites with the ipfire.org domain or other sites don’t work !
So…is there anything to do on Ipfire or should I contact DNSFilter support ?
Thanks
What about the problem I described in my first post…is it possible that some domains (such as ipfire.org) don’t accept not to be contacted via anything other than TLS ?
There is a link at DNSFilter that talks about TLS: