In my /etc/unbound/unbound.conf.d/pi-hole.conf I have edns-buffer-size: 1232
OK, tried with both: 1234 and 1432. Same result...
I am lost here. Perhaps if you are using DNS Forwarding and not DNS Resolving then change the DNS servers you forward to.
I was using DNS Forwarder up until today when I did the lookup tests from pfSense. But since the unbound of pfsense is also failing ( and there's no other upstream machine before the ISP router - which is in bridge mode ), but at the same time the unresolved domains ARE being resolved if using google DNS... I really don't know what to think anymore...
As a local recursive resolver employing DNSSEC, unbound works differently from a public resolver like Google.
During recursion, unbound will query each authoritative DNS server on the resolution chain. If something interferes with one such server, then that would affect only the specific domain that server is authoritative for (and consequently, its subdomains, of course).
Your observation of just some domains failing could be explained by such interference, e.g. if your ISP would block access to just those servers or some of its answers.
So its not failing on DNSSEC validation, but on fetching a DNS record.
DNSSEC enabled servers may provide additional information as to why a SERVFAIL has been triggered in an EDE error code when the query requests DNSSEC validation.
If you encounter a SERVFAIL again, could you share the result of:
dig +dnssec @127.0.0.1 -p 5335 plex.tv
Depending on your version of dig, the EDE code may be printed as a number or translated into a text (if present at all).
If you encounter a SERVFAIL again, could you share the result of:
dig +dnssec @127.0.0.1 -p 5335 plex.tv
this outputs this:
root@pihole:~# dig +dnssec @127.0.0.1 -p 5335 plex.tv
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> +dnssec @127.0.0.1 -p 5335 plex.tv
; (1 server found)
;; global options: +cmd
;; no servers could be reached
Is there any way to check if the ISP is indeed blocking some of the servers ( although I can't see any reasons for Vodafone to do just that )?
LE: are these 2 additional outputs giving you some more insights?
root@pihole:~# dig +notrace plex.tv
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> +notrace plex.tv
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56895
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;plex.tv. IN A
;; Query time: 88 msec
;; SERVER: 192.168.3.1#53(192.168.3.1) (UDP)
;; WHEN: Tue Feb 27 09:09:39 EET 2024
;; MSG SIZE rcvd: 36
root@pihole:~# dig +trace plex.tv
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> +trace plex.tv
;; global options: +cmd
. 35045 IN NS c.root-servers.net.
. 35045 IN NS j.root-servers.net.
. 35045 IN NS d.root-servers.net.
. 35045 IN NS f.root-servers.net.
. 35045 IN NS h.root-servers.net.
. 35045 IN NS i.root-servers.net.
. 35045 IN NS a.root-servers.net.
. 35045 IN NS l.root-servers.net.
. 35045 IN NS m.root-servers.net.
. 35045 IN NS k.root-servers.net.
. 35045 IN NS g.root-servers.net.
. 35045 IN NS e.root-servers.net.
. 35045 IN NS b.root-servers.net.
. 35045 IN RRSIG NS 8 0 518400 20240310050000 20240226040000 30903 . bW9uK8sOQcteotBlaUx9aQUCnZIL4dpqKvhFJsB7Ra5yHy25MYRGTs0q RpSrx69kx1OFLWaa3U2/WoS18v4E2k9Vj0wl+thQkyOnKh1ngYcNLsjD Ejrp8MEGMvhylS+Sb32v6Se1Q6DAcMACcljNZ3+a/BYGZ8BFpTOwu0/U XwJGmPD7Hu07GyCc6pZUM0s3Sv5M+9Ta/4g46t/Zrw3XqtUOgRhHMWqE LYA1btK9MZyjwY2iVoIXJI8T7+g1oZMRqYI+9vpl7ZJDDyFclQBhn5ym ep1pKrCSMPqsmWkSPBBABXAK637Z4fDFoVSHpVVx6hn1d/HlVNeti+Na HEtwoA==
;; Received 525 bytes from 192.168.3.1#53(192.168.3.1) in 4 ms
tv. 172800 IN NS a.nic.tv.
tv. 172800 IN NS b.nic.tv.
tv. 172800 IN NS c.nic.tv.
tv. 172800 IN NS d.nic.tv.
tv. 86400 IN DS 57277 8 2 CDF61FAF1EBC9D83D5BC3D9DE22E794AE8ACDB0475EA8CF27E92CC00 F0C3F5F9
tv. 86400 IN RRSIG DS 8 1 86400 20240311050000 20240227040000 30903 . j8OokqggQu7hO3kgy0MmeGLVDPUvEWoe6WO05GWPQI1ErS5N3UH1eDsV k3DtRwoxlvGFQqKlIDkXFCe7fnYAZE55pxGOqel87nt4M6YLQKvcJLMI GGwEMXML53C3DTd5CjCyFKO56GFcuk/hk25MfCyDwQZ1X1lqkIC4hm8K h+akM9g8XKUBw8oLBrcisbUF4s8fMxUMh1rB7AnRqIA5c0R4edF+hutg wtcFZ3DOJBJemojlbsgr35pvHRxIfrtPauJCkE8x5IdMiWlpkgW3+RDG BKpQjJSW8QHH4d0rmnFdZteYiLFx6RmK2S/+ZKvrTDk72zHcrX7YwSrL HHS1CA==
couldn't get address for 'a.nic.tv': failure
couldn't get address for 'b.nic.tv': failure
couldn't get address for 'c.nic.tv': failure
couldn't get address for 'd.nic.tv': failure
dig: couldn't get address for 'a.nic.tv': no more
Hmm, that's the result for a time-out, not a SERVFAIL.
But your dig +trace plex.tv shows where the recursion fails:
{a/b/c/d}.nic.tv are the domains for the name servers authoritative for the tv domain (verifiable by dig NS tv), and your unbound cannot resolve those domains into IP addresses, preventing it from continuing recursion.
What's the result for
dig +dnssec @127.0.0.1 -p 5335 a.nic.tv
here it is ( same for b, c and d ):
root@pihole:~# dig +dnssec @127.0.0.1 -p 5335 a.nic.tv
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> +dnssec @127.0.0.1 -p 5335 a.nic.tv
; (1 server found)
;; global options: +cmd
;; no servers could be reached
That's a time-out again.
If that's reproducible, run your +trace on a.nic.tv, and see where that fails.
there's the output:
root@pihole:~# dig +trace on a.nic.tv
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> +trace on a.nic.tv
;; global options: +cmd
. 21208 IN NS d.root-servers.net.
. 21208 IN NS f.root-servers.net.
. 21208 IN NS h.root-servers.net.
. 21208 IN NS i.root-servers.net.
. 21208 IN NS a.root-servers.net.
. 21208 IN NS l.root-servers.net.
. 21208 IN NS m.root-servers.net.
. 21208 IN NS k.root-servers.net.
. 21208 IN NS g.root-servers.net.
. 21208 IN NS e.root-servers.net.
. 21208 IN NS b.root-servers.net.
. 21208 IN NS c.root-servers.net.
. 21208 IN NS j.root-servers.net.
. 21208 IN RRSIG NS 8 0 518400 20240310050000 20240226040000 30903 . bW9uK8sOQcteotBlaUx9aQUCnZIL4dpqKvhFJsB7Ra5yHy25MYRGTs0q RpSrx69kx1OFLWaa3U2/WoS18v4E2k9Vj0wl+thQkyOnKh1ngYcNLsjD Ejrp8MEGMvhylS+Sb32v6Se1Q6DAcMACcljNZ3+a/BYGZ8BFpTOwu0/U XwJGmPD7Hu07GyCc6pZUM0s3Sv5M+9Ta/4g46t/Zrw3XqtUOgRhHMWqE LYA1btK9MZyjwY2iVoIXJI8T7+g1oZMRqYI+9vpl7ZJDDyFclQBhn5ym ep1pKrCSMPqsmWkSPBBABXAK637Z4fDFoVSHpVVx6hn1d/HlVNeti+Na HEtwoA==
;; Received 525 bytes from 192.168.3.1#53(192.168.3.1) in 0 ms
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024022700 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20240311050000 20240227040000 30903 . W7UvDDje8jQOXoP0YK0C6Aio/qt+3MxeD1JomLgNhzTJuB5ba/1nvgi3 o4h/h2baaSUUpqGnop1SCJrj1Br54atP8T3ibXMQ8nCaNsBVOBHSf9o4 w+eWm+Mg0ubpHQlDA/YeqnEI3o0vO+93srNv5pBu2FObOJ8rrAo7GEAD ouvmPd0hAd037c8GjEIu3Yjc7s6kKDsbEYC6ZA1ys4smKjAhvXRtAjmb SoKRqMmLb6GcFv6ltqyDjoDc6xpE1FjVEyGIshEwEPLuVBgQoMTYVaL1 yqShGQL/QALJQKTPm+c//7ZN3rlPZq0oqw0T0G3IjNEcH47YKIbpG4oS tVvFJw==
omega. 86400 IN NSEC one. NS DS RRSIG NSEC
omega. 86400 IN RRSIG NSEC 8 1 86400 20240311050000 20240227040000 30903 . UUX4WmNJJ9cRY50ywi3uu247LI/JJFPxWny2lHRSDgRcj+26kukqk4UN 3wV2rYPylIG7/iCS9uvThvd1gdJLzILeFl0OqdCTL0Nc01UtXCIoSpNt sjY5+m+xqyIOEDgpB3m+O+62tvhfKTfxOnAcdyakxx5f7uxlKDo0XSA6 YdIWdiOKtXQLtW/NAh/0jzfNne374NCUMolvBTgzoriqK+J71gpszniH ly+L4102f3ma+urqhXhb3hw5pyV1UCJHe+XNKhp+KQQl4wViyRKKpBDb BIT/MYLFCExgcF2DBSC6Elb42r+w6GX71TnwSFTzh3twzkPy13RmjJkj HjOrOw==
. 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY ZONEMD
. 86400 IN RRSIG NSEC 8 0 86400 20240311050000 20240227040000 30903 . cNE4bGVfewVaLOiyPe5ctLhuGhS2CLIVqsvFeReGYXxYeu9o8whkS/iM wP5HWSjtMX6uE6t95I2DHi2kDkXW4z3enE+cyknHg90sgXyCGRaMw0TB KPJWRzydtl1ib1UoM3tEcHsmUfMUcfpjK27IMWQTz5z97TDwcPqp+4C1 Wyuv9GIM0nWig2MnMACmqUKeGoLIxsu6xUmTh23KYPunr5aHpMnB4J8K DvSyVCzZ9Rm8rD3hd/xPk7mgo6P8OUWDRg2zcvAU7thJsgr6Tj9lBkjp qsEA58GfX2rFvyDsH8pRonIJM/xqyIERr8mSYD+HZP3aCImjq2vdAJei /rRXvA==
;; Received 1021 bytes from 198.41.0.4#53(a.root-servers.net) in 44 ms
. 21208 IN NS e.root-servers.net.
. 21208 IN NS b.root-servers.net.
. 21208 IN NS c.root-servers.net.
. 21208 IN NS j.root-servers.net.
. 21208 IN NS d.root-servers.net.
. 21208 IN NS f.root-servers.net.
. 21208 IN NS h.root-servers.net.
. 21208 IN NS i.root-servers.net.
. 21208 IN NS a.root-servers.net.
. 21208 IN NS l.root-servers.net.
. 21208 IN NS m.root-servers.net.
. 21208 IN NS k.root-servers.net.
. 21208 IN NS g.root-servers.net.
. 21208 IN RRSIG NS 8 0 518400 20240310050000 20240226040000 30903 . bW9uK8sOQcteotBlaUx9aQUCnZIL4dpqKvhFJsB7Ra5yHy25MYRGTs0q RpSrx69kx1OFLWaa3U2/WoS18v4E2k9Vj0wl+thQkyOnKh1ngYcNLsjD Ejrp8MEGMvhylS+Sb32v6Se1Q6DAcMACcljNZ3+a/BYGZ8BFpTOwu0/U XwJGmPD7Hu07GyCc6pZUM0s3Sv5M+9Ta/4g46t/Zrw3XqtUOgRhHMWqE LYA1btK9MZyjwY2iVoIXJI8T7+g1oZMRqYI+9vpl7ZJDDyFclQBhn5ym ep1pKrCSMPqsmWkSPBBABXAK637Z4fDFoVSHpVVx6hn1d/HlVNeti+Na HEtwoA==
;; Received 525 bytes from 192.168.3.1#53(192.168.3.1) in 0 ms
tv. 172800 IN NS a.nic.tv.
tv. 172800 IN NS b.nic.tv.
tv. 172800 IN NS c.nic.tv.
tv. 172800 IN NS d.nic.tv.
tv. 86400 IN DS 57277 8 2 CDF61FAF1EBC9D83D5BC3D9DE22E794AE8ACDB0475EA8CF27E92CC00 F0C3F5F9
tv. 86400 IN RRSIG DS 8 1 86400 20240311050000 20240227040000 30903 . j8OokqggQu7hO3kgy0MmeGLVDPUvEWoe6WO05GWPQI1ErS5N3UH1eDsV k3DtRwoxlvGFQqKlIDkXFCe7fnYAZE55pxGOqel87nt4M6YLQKvcJLMI GGwEMXML53C3DTd5CjCyFKO56GFcuk/hk25MfCyDwQZ1X1lqkIC4hm8K h+akM9g8XKUBw8oLBrcisbUF4s8fMxUMh1rB7AnRqIA5c0R4edF+hutg wtcFZ3DOJBJemojlbsgr35pvHRxIfrtPauJCkE8x5IdMiWlpkgW3+RDG BKpQjJSW8QHH4d0rmnFdZteYiLFx6RmK2S/+ZKvrTDk72zHcrX7YwSrL HHS1CA==
couldn't get address for 'a.nic.tv': failure
couldn't get address for 'b.nic.tv': failure
couldn't get address for 'c.nic.tv': failure
couldn't get address for 'd.nic.tv': failure
dig: couldn't get address for 'a.nic.tv': no more
That should have been:
dig +trace a.nic.tv
Please also share what happens if you try via a root server:
dig +norecurse a.nic.tv @k.root-servers.net
That should look similar to (click for details)
; <<>> DiG 9.11.5-P4-5.1+deb10u10-Raspbian <<>> -4 +norecurse a.nic.tv @k.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58216
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.nic.tv. IN A
;; AUTHORITY SECTION:
tv. 172800 IN NS a.nic.tv.
tv. 172800 IN NS c.nic.tv.
tv. 172800 IN NS b.nic.tv.
tv. 172800 IN NS d.nic.tv.
;; ADDITIONAL SECTION:
a.nic.tv. 172800 IN A 37.209.192.6
d.nic.tv. 172800 IN A 37.209.198.6
c.nic.tv. 172800 IN A 37.209.196.6
b.nic.tv. 172800 IN A 37.209.194.6
a.nic.tv. 172800 IN AAAA 2001:dcd:1::6
d.nic.tv. 172800 IN AAAA 2001:dcd:4::6
c.nic.tv. 172800 IN AAAA 2001:dcd:3::6
b.nic.tv. 172800 IN AAAA 2001:dcd:2::6
;; Query time: 14 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Tue Feb 27 12:22:22 CET 2024
;; MSG SIZE rcvd: 277
Oh, sorry, I haven't noticed. Here's the output of dig +trace a.nic.tv:
root@pihole:~# dig +trace a.nic.tv
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> +trace a.nic.tv
;; global options: +cmd
. 9911 IN NS a.root-servers.net.
. 9911 IN NS l.root-servers.net.
. 9911 IN NS m.root-servers.net.
. 9911 IN NS k.root-servers.net.
. 9911 IN NS g.root-servers.net.
. 9911 IN NS e.root-servers.net.
. 9911 IN NS b.root-servers.net.
. 9911 IN NS c.root-servers.net.
. 9911 IN NS j.root-servers.net.
. 9911 IN NS d.root-servers.net.
. 9911 IN NS f.root-servers.net.
. 9911 IN NS h.root-servers.net.
. 9911 IN NS i.root-servers.net.
. 9911 IN RRSIG NS 8 0 518400 20240310050000 20240226040000 30903 . bW9uK8sOQcteotBlaUx9aQUCnZIL4dpqKvhFJsB7Ra5yHy25MYRGTs0q RpSrx69kx1OFLWaa3U2/WoS18v4E2k9Vj0wl+thQkyOnKh1ngYcNLsjD Ejrp8MEGMvhylS+Sb32v6Se1Q6DAcMACcljNZ3+a/BYGZ8BFpTOwu0/U XwJGmPD7Hu07GyCc6pZUM0s3Sv5M+9Ta/4g46t/Zrw3XqtUOgRhHMWqE LYA1btK9MZyjwY2iVoIXJI8T7+g1oZMRqYI+9vpl7ZJDDyFclQBhn5ym ep1pKrCSMPqsmWkSPBBABXAK637Z4fDFoVSHpVVx6hn1d/HlVNeti+Na HEtwoA==
;; Received 525 bytes from 192.168.3.1#53(192.168.3.1) in 0 ms
tv. 172800 IN NS a.nic.tv.
tv. 172800 IN NS c.nic.tv.
tv. 172800 IN NS b.nic.tv.
tv. 172800 IN NS d.nic.tv.
tv. 86400 IN DS 57277 8 2 CDF61FAF1EBC9D83D5BC3D9DE22E794AE8ACDB0475EA8CF27E92CC00 F0C3F5F9
tv. 86400 IN RRSIG DS 8 1 86400 20240311050000 20240227040000 30903 . j8OokqggQu7hO3kgy0MmeGLVDPUvEWoe6WO05GWPQI1ErS5N3UH1eDsV k3DtRwoxlvGFQqKlIDkXFCe7fnYAZE55pxGOqel87nt4M6YLQKvcJLMI GGwEMXML53C3DTd5CjCyFKO56GFcuk/hk25MfCyDwQZ1X1lqkIC4hm8K h+akM9g8XKUBw8oLBrcisbUF4s8fMxUMh1rB7AnRqIA5c0R4edF+hutg wtcFZ3DOJBJemojlbsgr35pvHRxIfrtPauJCkE8x5IdMiWlpkgW3+RDG BKpQjJSW8QHH4d0rmnFdZteYiLFx6RmK2S/+ZKvrTDk72zHcrX7YwSrL HHS1CA==
couldn't get address for 'a.nic.tv': failure
couldn't get address for 'c.nic.tv': failure
couldn't get address for 'b.nic.tv': failure
couldn't get address for 'd.nic.tv': failure
dig: couldn't get address for 'a.nic.tv': no more
and here for dig +norecurse a.nic.tv @k.root-servers.net:
root@pihole:~# dig +norecurse a.nic.tv @k.root-servers.net
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> +norecurse a.nic.tv @k.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44838
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.nic.tv. IN A
;; AUTHORITY SECTION:
tv. 172800 IN NS a.nic.tv.
tv. 172800 IN NS b.nic.tv.
tv. 172800 IN NS c.nic.tv.
tv. 172800 IN NS d.nic.tv.
;; ADDITIONAL SECTION:
a.nic.tv. 172800 IN A 37.209.192.6
b.nic.tv. 172800 IN A 37.209.194.6
c.nic.tv. 172800 IN A 37.209.196.6
d.nic.tv. 172800 IN A 37.209.198.6
a.nic.tv. 172800 IN AAAA 2001:dcd:1::6
b.nic.tv. 172800 IN AAAA 2001:dcd:2::6
c.nic.tv. 172800 IN AAAA 2001:dcd:3::6
d.nic.tv. 172800 IN AAAA 2001:dcd:4::6
;; Query time: 44 msec
;; SERVER: 193.0.14.129#53(k.root-servers.net) (UDP)
;; WHEN: Tue Feb 27 16:11:02 EET 2024
;; MSG SIZE rcvd: 275
@Bucking_Horn not sure if the following has anything to do with the initial problem ( that being countless comm. timeouts ), but it seems something is not right: in the screen recording is visible a dashboard reported load of ~3 while in the console, htop display a value of ~15-20% load of CPU. Is there any explanation for this?
https://youtu.be/_N1B6PsNRXk
I don't think so.
You are dealing with two observations:
SERVFAILs for specific domains, and with occasional time-outs.
We are currently trying to understand the SERVFAILs, and so far, it seems as some of the authoritative name server names are not resolvable for you.
To further investigate this, you could add logging to unbound.
You could start with verbosity: 2, but may need to raise that further for more detailed query output.
As unbound's logs will grow large quickly with higher verbosity levels, for this analysis you should probably switch Pi-hole to another upstream and direct dig commands to your local unbound on port 5335.
That way, the logs only hold the requests you are interested in.
Alright, some interesting findings while logging level 2 verbosity of unbound the following commands:
dig plex.tv @127.0.0.1 -p 5335 # timed out
dig debian.be @127.0.0.1 -p 5335 #resolved although up until nw it falled under 'SERVFAIL' or timeout
dig newpharma.be @127.0.0.1 -p 5335 # resolved - also for the first time
dig gov.uk @127.0.0.1 -p 5335 # timed out
dig plex.tv @127.0.0.1 -p 5335 # timed out
Mar 01 17:26:33 unbound[32017:0] notice: init module 0: subnet
Mar 01 17:26:33 unbound[32017:0] notice: init module 1: validator
Mar 01 17:26:33 unbound[32017:0] notice: init module 2: iterator
Mar 01 17:26:33 unbound[32017:0] info: start of service (unbound 1.13.1).
Mar 01 17:26:51 unbound[32017:0] info: resolving plex.tv. A IN
Mar 01 17:26:51 unbound[32017:0] info: priming . IN NS
Mar 01 17:26:52 unbound[32017:0] info: response for . NS IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <.> 199.7.83.42#53
Mar 01 17:26:52 unbound[32017:0] info: query response was ANSWER
Mar 01 17:26:52 unbound[32017:0] info: priming successful for . NS IN
Mar 01 17:26:52 unbound[32017:0] info: response for plex.tv. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <.> 199.7.91.13#53
Mar 01 17:26:52 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:26:52 unbound[32017:0] info: response for plex.tv. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <tv.> 37.209.196.6#53
Mar 01 17:26:52 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:26:52 unbound[32017:0] info: resolving jeremy.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: resolving rafe.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: response for jeremy.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <.> 198.41.0.4#53
Mar 01 17:26:52 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:26:52 unbound[32017:0] info: response for rafe.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <.> 170.247.170.2#53
Mar 01 17:26:52 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:26:52 unbound[32017:0] info: response for rafe.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <com.> 192.12.94.30#53
Mar 01 17:26:52 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:26:52 unbound[32017:0] info: response for rafe.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <cloudflare.com.> 162.159.8.55#53
Mar 01 17:26:52 unbound[32017:0] info: query response was ANSWER
Mar 01 17:26:52 unbound[32017:0] info: response for rafe.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <cloudflare.com.> 162.159.2.9#53
Mar 01 17:26:52 unbound[32017:0] info: query response was ANSWER
Mar 01 17:26:52 unbound[32017:0] info: response for plex.tv. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <plex.tv.> 108.162.192.216#53
Mar 01 17:26:52 unbound[32017:0] info: query response was ANSWER
Mar 01 17:26:52 unbound[32017:0] info: prime trust anchor
Mar 01 17:26:52 unbound[32017:0] info: generate keytag query _ta-4f66. NULL IN
Mar 01 17:26:52 unbound[32017:0] info: resolving . DNSKEY IN
Mar 01 17:26:52 unbound[32017:0] info: resolving _ta-4f66. NULL IN
Mar 01 17:26:52 unbound[32017:0] info: response for . DNSKEY IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <.> 192.36.148.17#53
Mar 01 17:26:52 unbound[32017:0] info: query response was ANSWER
Mar 01 17:26:52 unbound[32017:0] info: validate keys with anchor(DS): sec_status_secure
Mar 01 17:26:52 unbound[32017:0] info: Successfully primed trust anchor . DNSKEY IN
Mar 01 17:26:52 unbound[32017:0] info: validated DS tv. DS IN
Mar 01 17:26:52 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:26:52 unbound[32017:0] info: response for _ta-4f66. NULL IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <.> 192.36.148.17#53
Mar 01 17:26:52 unbound[32017:0] info: query response was NXDOMAIN ANSWER
Mar 01 17:26:52 unbound[32017:0] info: response for jeremy.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <com.> 192.33.14.30#53
Mar 01 17:26:52 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:26:52 unbound[32017:0] info: response for jeremy.ns.cloudflare.com. A IN
Mar 01 17:26:52 unbound[32017:0] info: reply from <cloudflare.com.> 162.159.0.33#53
Mar 01 17:26:52 unbound[32017:0] info: query response was ANSWER
Mar 01 17:26:57 unbound[32017:0] info: resolving plex.tv. A IN
Mar 01 17:26:57 unbound[32017:0] info: validated DS tv. DS IN
Mar 01 17:27:02 unbound[32017:0] info: resolving plex.tv. A IN
Mar 01 17:27:02 unbound[32017:0] info: validated DS tv. DS IN
Mar 01 17:27:53 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:27:53 unbound[32017:0] info: response for tv. DNSKEY IN
Mar 01 17:27:53 unbound[32017:0] info: reply from <.> 202.12.27.33#53
Mar 01 17:27:53 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:05 unbound[32017:0] info: resolving d.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: response for d.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: reply from <.> 170.247.170.2#53
Mar 01 17:28:05 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:05 unbound[32017:0] info: response for d.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: reply from <tv.> 37.209.192.6#53
Mar 01 17:28:05 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:05 unbound[32017:0] info: response for d.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: reply from <tv.> 37.209.196.6#53
Mar 01 17:28:05 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:05 unbound[32017:0] info: resolving b.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: response for b.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: reply from <.> 199.7.83.42#53
Mar 01 17:28:05 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:05 unbound[32017:0] info: response for b.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: reply from <tv.> 37.209.198.6#53
Mar 01 17:28:05 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:05 unbound[32017:0] info: resolving c.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: response for c.nic.tv. A IN
Mar 01 17:28:05 unbound[32017:0] info: reply from <.> 170.247.170.2#53
Mar 01 17:28:05 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:06 unbound[32017:0] info: response for c.nic.tv. A IN
Mar 01 17:28:06 unbound[32017:0] info: reply from <tv.> 37.209.196.6#53
Mar 01 17:28:06 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:06 unbound[32017:0] info: resolving a.nic.tv. A IN
Mar 01 17:28:06 unbound[32017:0] info: response for a.nic.tv. A IN
Mar 01 17:28:06 unbound[32017:0] info: reply from <.> 198.97.190.53#53
Mar 01 17:28:06 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:06 unbound[32017:0] info: response for a.nic.tv. A IN
Mar 01 17:28:06 unbound[32017:0] info: reply from <tv.> 37.209.194.6#53
Mar 01 17:28:06 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:06 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:28:06 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:28:06 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:28:06 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:28:36 unbound[32017:0] info: resolving debian.be. A IN
Mar 01 17:28:37 unbound[32017:0] info: response for debian.be. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <.> 192.36.148.17#53
Mar 01 17:28:37 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:37 unbound[32017:0] info: response for debian.be. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <be.> 194.0.37.1#53
Mar 01 17:28:37 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:37 unbound[32017:0] info: resolving ns2.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: resolving ns3.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: resolving ns1.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: response for ns3.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <.> 192.36.148.17#53
Mar 01 17:28:37 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:37 unbound[32017:0] info: response for ns2.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <.> 192.33.4.12#53
Mar 01 17:28:37 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:37 unbound[32017:0] info: response for ns1.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <.> 198.97.190.53#53
Mar 01 17:28:37 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:37 unbound[32017:0] info: response for ns1.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <net.> 192.5.6.30#53
Mar 01 17:28:37 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:37 unbound[32017:0] info: response for ns1.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <contabo.net.> 79.143.182.242#53
Mar 01 17:28:37 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:37 unbound[32017:0] info: response for ns2.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <net.> 192.42.93.30#53
Mar 01 17:28:37 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:37 unbound[32017:0] info: response for debian.be. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <debian.be.> 79.143.182.242#53
Mar 01 17:28:37 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:37 unbound[32017:0] info: validated DS be. DS IN
Mar 01 17:28:37 unbound[32017:0] info: resolving be. DNSKEY IN
Mar 01 17:28:37 unbound[32017:0] info: response for ns2.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <contabo.net.> 178.238.234.231#53
Mar 01 17:28:37 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:37 unbound[32017:0] info: response for be. DNSKEY IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <be.> 194.0.44.1#53
Mar 01 17:28:37 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:37 unbound[32017:0] info: validated DNSKEY be. DNSKEY IN
Mar 01 17:28:37 unbound[32017:0] info: NSEC3s for the referral proved no DS.
Mar 01 17:28:37 unbound[32017:0] info: Verified that unsigned response is INSECURE
Mar 01 17:28:37 unbound[32017:0] info: response for ns3.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <net.> 192.33.14.30#53
Mar 01 17:28:37 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:37 unbound[32017:0] info: response for ns3.contabo.net. A IN
Mar 01 17:28:37 unbound[32017:0] info: reply from <contabo.net.> 5.189.191.29#53
Mar 01 17:28:37 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:50 unbound[32017:0] info: resolving newpharma.be. A IN
Mar 01 17:28:50 unbound[32017:0] info: response for newpharma.be. A IN
Mar 01 17:28:50 unbound[32017:0] info: reply from <be.> 194.0.44.1#53
Mar 01 17:28:50 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:28:50 unbound[32017:0] info: resolving anita.ns.cloudflare.com. A IN
Mar 01 17:28:50 unbound[32017:0] info: resolving norman.ns.cloudflare.com. A IN
Mar 01 17:28:50 unbound[32017:0] info: response for anita.ns.cloudflare.com. A IN
Mar 01 17:28:50 unbound[32017:0] info: reply from <cloudflare.com.> 162.159.4.8#53
Mar 01 17:28:50 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:50 unbound[32017:0] info: response for norman.ns.cloudflare.com. A IN
Mar 01 17:28:50 unbound[32017:0] info: reply from <cloudflare.com.> 162.159.8.55#53
Mar 01 17:28:50 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:50 unbound[32017:0] info: response for newpharma.be. A IN
Mar 01 17:28:50 unbound[32017:0] info: reply from <newpharma.be.> 172.64.34.82#53
Mar 01 17:28:50 unbound[32017:0] info: query response was ANSWER
Mar 01 17:28:50 unbound[32017:0] info: NSEC3s for the referral proved no DS.
Mar 01 17:28:50 unbound[32017:0] info: Verified that unsigned response is INSECURE
Mar 01 17:29:04 unbound[32017:0] info: resolving gov.uk. A IN
Mar 01 17:29:04 unbound[32017:0] info: response for gov.uk. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <.> 198.97.190.53#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: response for gov.uk. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <uk.> 156.154.102.3#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: resolving auth00.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: resolving auth50.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: resolving ns0.ja.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: response for auth00.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <net.> 192.12.94.30#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: response for auth50.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <net.> 192.5.6.30#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: response for ns0.ja.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <net.> 192.41.162.30#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: resolving ns1.surfnet.nl. A IN
Mar 01 17:29:04 unbound[32017:0] info: response for auth00.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <uu.net.> 195.129.12.74#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: response for ns0.ja.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <ja.net.> 193.63.94.20#53
Mar 01 17:29:04 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:04 unbound[32017:0] info: response for auth00.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <de.uu.net.> 194.128.171.99#53
Mar 01 17:29:04 unbound[32017:0] info: query response was nodata ANSWER
Mar 01 17:29:04 unbound[32017:0] info: response for gov.uk. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <gov.uk.> 128.86.1.20#53
Mar 01 17:29:04 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:04 unbound[32017:0] info: validated DS uk. DS IN
Mar 01 17:29:04 unbound[32017:0] info: resolving uk. DNSKEY IN
Mar 01 17:29:04 unbound[32017:0] info: response for auth50.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <uu.net.> 198.6.1.65#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: response for auth00.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <de.uu.net.> 194.128.171.99#53
Mar 01 17:29:04 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:04 unbound[32017:0] info: response for uk. DNSKEY IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <uk.> 103.49.80.1#53
Mar 01 17:29:04 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:04 unbound[32017:0] info: validated DNSKEY uk. DNSKEY IN
Mar 01 17:29:04 unbound[32017:0] info: validated DS gov.uk. DS IN
Mar 01 17:29:04 unbound[32017:0] info: resolving gov.uk. DNSKEY IN
Mar 01 17:29:04 unbound[32017:0] info: resolving ns3.ja.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: response for auth50.ns.de.uu.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <de.uu.net.> 192.76.144.14#53
Mar 01 17:29:04 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:04 unbound[32017:0] info: response for ns3.ja.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <ja.net.> 193.63.94.20#53
Mar 01 17:29:04 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:04 unbound[32017:0] info: response for ns1.surfnet.nl. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <.> 192.58.128.30#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: response for ns1.surfnet.nl. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <nl.> 194.0.25.24#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: resolving ns1.zurich.surf.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: response for ns1.zurich.surf.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <net.> 192.41.162.30#53
Mar 01 17:29:04 unbound[32017:0] info: query response was REFERRAL
Mar 01 17:29:04 unbound[32017:0] info: response for ns1.surfnet.nl. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <surfnet.nl.> 195.169.124.71#53
Mar 01 17:29:04 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:04 unbound[32017:0] info: response for ns1.zurich.surf.net. A IN
Mar 01 17:29:04 unbound[32017:0] info: reply from <surf.net.> 195.176.255.9#53
Mar 01 17:29:04 unbound[32017:0] info: query response was nodata ANSWER
Mar 01 17:29:05 unbound[32017:0] info: response for ns1.zurich.surf.net. A IN
Mar 01 17:29:05 unbound[32017:0] info: reply from <surf.net.> 195.169.124.71#53
Mar 01 17:29:05 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:06 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:29:06 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:29:06 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:29:06 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:29:09 unbound[32017:0] info: resolving gov.uk. A IN
Mar 01 17:29:09 unbound[32017:0] info: validated DS gov.uk. DS IN
Mar 01 17:29:14 unbound[32017:0] info: resolving gov.uk. A IN
Mar 01 17:29:14 unbound[32017:0] info: validated DS gov.uk. DS IN
Mar 01 17:29:26 unbound[32017:0] info: resolving plex.tv. A IN
Mar 01 17:29:26 unbound[32017:0] info: response for plex.tv. A IN
Mar 01 17:29:26 unbound[32017:0] info: reply from <plex.tv.> 108.162.192.216#53
Mar 01 17:29:26 unbound[32017:0] info: query response was ANSWER
Mar 01 17:29:26 unbound[32017:0] info: validated DS tv. DS IN
Mar 01 17:29:31 unbound[32017:0] info: resolving plex.tv. A IN
Mar 01 17:29:31 unbound[32017:0] info: validated DS tv. DS IN
Mar 01 17:29:36 unbound[32017:0] info: resolving plex.tv. A IN
Mar 01 17:29:36 unbound[32017:0] info: validated DS tv. DS IN
Mar 01 17:30:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:07 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:30:45 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:45 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:45 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:30:45 unbound[32017:0] info: resolving gov.uk. DNSKEY IN
Mar 01 17:31:08 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:31:08 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:31:08 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:31:08 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:31:08 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:31:08 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:31:08 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:32:09 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:09 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:09 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:09 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:09 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:09 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:09 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:32:26 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:26 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:26 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:32:26 unbound[32017:0] info: resolving gov.uk. DNSKEY IN
Mar 01 17:33:10 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:33:10 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:33:10 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:33:10 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:33:10 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:33:10 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:33:10 unbound[32017:0] info: Could not establish a chain of trust to keys for tv. DNSKEY IN
Mar 01 17:33:10 unbound[32017:0] info: Could not establish a chain of trust to keys for tv. DNSKEY IN
Mar 01 17:33:10 unbound[32017:0] info: Could not establish a chain of trust to keys for tv. DNSKEY IN
Mar 01 17:33:10 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:34:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:34:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:34:07 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:34:07 unbound[32017:0] info: resolving gov.uk. DNSKEY IN
Mar 01 17:34:07 unbound[32017:0] info: resolving ns1.surfnet.nl. A IN
Mar 01 17:34:07 unbound[32017:0] info: resolving ns1.zurich.surf.net. A IN
Mar 01 17:34:07 unbound[32017:0] info: response for ns1.zurich.surf.net. A IN
Mar 01 17:34:07 unbound[32017:0] info: reply from <surf.net.> 128.86.1.20#53
Mar 01 17:34:07 unbound[32017:0] info: query response was nodata ANSWER
Mar 01 17:34:07 unbound[32017:0] info: response for ns1.surfnet.nl. A IN
Mar 01 17:34:07 unbound[32017:0] info: reply from <surfnet.nl.> 193.63.94.20#53
Mar 01 17:34:07 unbound[32017:0] info: query response was ANSWER
Mar 01 17:34:07 unbound[32017:0] info: response for ns1.zurich.surf.net. A IN
Mar 01 17:34:07 unbound[32017:0] info: reply from <surf.net.> 128.86.1.20#53
Mar 01 17:34:07 unbound[32017:0] info: query response was ANSWER
Mar 01 17:34:11 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:34:11 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:34:11 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:34:11 unbound[32017:0] info: resolving tv. DNSKEY IN
Mar 01 17:35:12 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:35:12 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:35:12 unbound[32017:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 01 17:35:12 unbound[32017:0] info: Could not establish a chain of trust to keys for tv. DNSKEY IN
Mar 01 17:35:12 unbound[32017:0] info: Could not establish a chain of trust to keys for tv. DNSKEY IN
Mar 01 17:35:12 unbound[32017:0] info: Could not establish a chain of trust to keys for tv. DNSKEY IN
The first line tells us what we already glanced from your previous dig results:
Recursion works for the .tv TLD.
The second line finally tells us why we saw those couldn't get address for '*.nic.tv' failures, despite the addresses obviously being available: unbound can't retrieve the DNSKEY to validate the reply. But as the domain claims to be digitally signed, unbound can not validates it and is thus forced to discard the answer.
As resolution of plex.tv works fine for others (including me), the question is now:
Why does your unbound fail to retrieve the DNSKEY records, and which DNSKEY does it try to retrieve?
As it seems only the DNSKEY is affected, I consider it less likely that your ISP is interfering here.
My slight suspicion now would be about UDP packets being to small to hold the DNSKEY (but I would expect unbound to retry and succeed retrieval via TCP instead).
To find further details, you should try to up unbound's verbosity and run that dig for plex.tv again.
Alright, I raised the logging level to 4. Here's the output of dig plex.tv @127.0.0.1 -p 5335: Dropbox
Have you confirmed that /etc/unbound/unbound.conf.d/pi-hole.conf contains the line edns-buffer-size: 1232 if you are using unbound on the same machine where you installed pihole. If you are using unbound on pfsense I think you can set it in the gui.
Yes @Moto is 1232 since the beginning. Tried also with 1432 with same results. using unbound on the same machine as pihole, not in pfsense.
DNSSEC is very easy to screw up. The last image in this post shows the resolution to the issue. It's a problem with the plex.tv zone not being configured correctly. DNSSEC Debugger - plex.tv (verisignlabs.com)
Mar 02 20:39:56 unbound[42914:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
Mar 02 20:39:56 unbound[42914:0] info: query response was ANSWER
Mar 02 20:39:56 unbound[42914:0] debug: iter_handle processing q with state FINISHED RESPONSE STATE
Mar 02 20:39:56 unbound[42914:0] info: finishing processing for a.nic.tv. A IN
Mar 02 20:39:56 unbound[42914:0] debug: mesh_run: iterator module exit state is module_finished
Mar 02 20:39:56 unbound[42914:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_moddone
Mar 02 20:39:56 unbound[42914:0] info: validator operate: query a.nic.tv. A IN
Mar 02 20:39:56 unbound[42914:0] debug: validator: nextmodule returned
Mar 02 20:39:56 unbound[42914:0] debug: not validating response, is valrec(validation recursion lookup)
Mar 02 20:39:56 unbound[42914:0] debug: mesh_run: validator module exit state is module_finished
Mar 02 20:39:56 unbound[42914:0] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_moddone
Mar 02 20:39:56 unbound[42914:0] info: subnet operate: query a.nic.tv. A IN
Mar 02 20:39:56 unbound[42914:0] debug: mesh_run: subnet module exit state is module_finished
Mar 02 20:39:56 unbound[42914:0] info: processTargetResponse a.nic.tv. A IN
Mar 02 20:39:56 unbound[42914:0] info: processTargetResponse super tv. DNSKEY IN
Mar 02 20:39:56 unbound[42914:0] info: add parentside glue to dp a.nic.tv. A IN
Mar 02 20:39:56 unbound[42914:0] debug: added target response
Mar 02 20:39:56 unbound[42914:0] info: DelegationPoint<tv.>: 4 names (0 missing), 8 addrs (4 result, 0 avail) parentNS
Mar 02 20:39:56 unbound[42914:0] info: d.nic.tv. * A AAAA PSIDE_A
Mar 02 20:39:56 unbound[42914:0] info: c.nic.tv. * A AAAA PSIDE_A
Mar 02 20:39:56 unbound[42914:0] info: b.nic.tv. * A AAAA PSIDE_A
Mar 02 20:39:56 unbound[42914:0] info: a.nic.tv. * A AAAA PSIDE_A
Mar 02 20:39:56 unbound[42914:0] debug: ip6 2001:dcd:4::6 port 53 (len 28)
Mar 02 20:39:56 unbound[42914:0] debug: ip6 2001:dcd:3::6 port 53 (len 28)
Mar 02 20:39:56 unbound[42914:0] debug: ip6 2001:dcd:2::6 port 53 (len 28)
Mar 02 20:39:56 unbound[42914:0] debug: ip6 2001:dcd:1::6 port 53 (len 28)
Mar 02 20:39:56 unbound[42914:0] debug: ip4 37.209.198.6 port 53 (len 16)
Mar 02 20:39:56 unbound[42914:0] debug: ip4 37.209.196.6 port 53 (len 16)
Mar 02 20:39:56 unbound[42914:0] debug: ip4 37.209.194.6 port 53 (len 16)
Mar 02 20:39:56 unbound[42914:0] debug: ip4 37.209.192.6 port 53 (len 16)
Mar 02 20:39:56 unbound[42914:0] debug: iterator[module 2] operate: extstate:module_wait_subquery event:module_event_pass
Mar 02 20:39:56 unbound[42914:0] info: iterator operate: query tv. DNSKEY IN
Mar 02 20:39:56 unbound[42914:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Mar 02 20:39:56 unbound[42914:0] info: processQueryTargets: tv. DNSKEY IN
Mar 02 20:39:56 unbound[42914:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 4
Mar 02 20:39:56 unbound[42914:0] info: DelegationPoint<tv.>: 4 names (0 missing), 8 addrs (4 result, 0 avail) parentNS
Mar 02 20:39:56 unbound[42914:0] info: d.nic.tv. * A AAAA PSIDE_A
Mar 02 20:39:56 unbound[42914:0] info: c.nic.tv. * A AAAA PSIDE_A
Mar 02 20:39:56 unbound[42914:0] info: b.nic.tv. * A AAAA PSIDE_A
Mar 02 20:39:56 unbound[42914:0] info: a.nic.tv. * A AAAA PSIDE_A
Mar 02 20:39:56 unbound[42914:0] debug: ip6 2001:dcd:4::6 port 53 (len 28)
Mar 02 20:39:56 unbound[42914:0] debug: ip6 2001:dcd:3::6 port 53 (len 28)
Mar 02 20:39:56 unbound[42914:0] debug: ip6 2001:dcd:2::6 port 53 (len 28)
Mar 02 20:39:56 unbound[42914:0] debug: ip6 2001:dcd:1::6 port 53 (len 28)
Mar 02 20:39:56 unbound[42914:0] debug: ip4 37.209.198.6 port 53 (len 16)
Mar 02 20:39:56 unbound[42914:0] debug: ip4 37.209.196.6 port 53 (len 16)
Mar 02 20:39:56 unbound[42914:0] debug: ip4 37.209.194.6 port 53 (len 16)
Mar 02 20:39:56 unbound[42914:0] debug: ip4 37.209.192.6 port 53 (len 16)
Mar 02 20:39:56 unbound[42914:0] debug: No more query targets, attempting last resort
Mar 02 20:39:56 unbound[42914:0] debug: out of query targets -- returning SERVFAIL
Mar 02 20:39:56 unbound[42914:0] debug: store error response in message cache
Mar 02 20:39:56 unbound[42914:0] debug: return error response SERVFAIL
Mar 02 20:39:56 unbound[42914:0] debug: mesh_run: iterator module exit state is module_finished
