Pi-hole with unbound cannot resolve a specific domain

I have a pi-hole setup with unbound as a recursive dns server as described in the following articel: unbound - Pi-hole documentation

But Pi-hole/Unbound cannot resolve the follwing domain:
https://www.raadsinformatie.nl/

I get an SERVFAIL

When I use the following website:
https://dnsviz.net/d/raadsinformatie.nl/dnssec/

I get the following errors:

The DS RRset for the zone included algorithm 5 (RSASHA1), but no DS RR matched a DNSKEY with algorithm 5 that signs the zone's DNSKEY RRset.

The question I have: can pi-hole/unbound not resolve this domain because of the error message on de DS entry?
In other words is this because of the DNSSEC configuration of the domain or is my pi-hole/unbound not configured correctly?

Hope someone can point me in the right direction.

If I use another DNS server, the domain is resolved correctly
I don't have issues with other domains, as far as I can see.

Thanks for your help/information in advance.

I have enabled logging and see the following lines

Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: query response was ANSWER
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 2001:4860:4802:38::6e#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: error sending query to auth server 2001:4860:4802:38::6e port 53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 2001:4860:4802:34::6e#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: error sending query to auth server 2001:4860:4802:34::6e port 53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 2001:4860:4802:36::6e#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: error sending query to auth server 2001:4860:4802:36::6e port 53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 2001:4860:4802:32::6e#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: error sending query to auth server 2001:4860:4802:32::6e port 53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 216.239.34.110#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: cache memory msg=327177 rrset=740114 infra=436338 val=121918 subnet=74504
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: iterator operate: query raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: response for raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: reply from <raadsinformatie.nl.> 216.239.34.110#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: query response was ANSWER
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: request has exceeded the maximum number of sends with 33
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: return error response SERVFAIL
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: validator operate: query raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: subnet operate: query raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: validator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: validator operate: query raadsinformatie.nl. A IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: Could not establish a chain of trust to keys for raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: subnet operate: query raadsinformatie.nl. A IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: cache memory msg=327177 rrset=740114 infra=436338 val=121918 subnet=74504
Mar 18 04:45:39 DietPi unbound[1728]: Mar 18 04:45:39 unbound[1728:0] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_new
Mar 18 04:45:39 DietPi unbound[1728]: Mar 18 04:45:39 unbound[1728:0] info: subnet operate: query acp-ss-ew1.adobe.io. A IN
Mar 18 04:45:39 DietPi unbound[1728]: Mar 18 04:45:39 unbound[1728:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass

Update:

I added the following to my config:

domain-insecure: raadsinformatie.nl

And now the domain gets resolved

I am still curious if this is configuration issue from pi-hole/unbound, or does this domain doesn't have his dnssec implementation correctly in-place?

From the pihole you can try to do a

dig raadsinformatie.nl

It resolves to IP 195.20.144.21 for me.

The url https://dnsviz.net/d/raadsinformatie.nl/dnssec/ doesn't look like a valid url. Both .nl and .net are TLDs. Note that a

dig dnsviz.net

returns an IP of 64.191.0.138 so it seems like your url is composed of two seperately valid domians.

Can you try the domain:

www.raadsinformatie.nl

or

raadsinformatie.nl

DNSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.

Both resolve and using delv it responds as fully validated with a RRSIG. I do not know dnssec well so if its dnssec specific one of the mods or devs will be more helpful.

pi@PiServer:~ $ delv www.raadsinformatie.nl
; fully validated
www.raadsinformatie.nl. 142 IN A 195.20.144.21
www.raadsinformatie.nl. 142 IN RRSIG A 8 2 300 20240405103410 20240314103410 40785 raadsinformatie.nl. jrm6hrpk5IDukxgrnUQisE4Sq6h44uSiALp6QWrMT6xheIP/g3r8h/0s Jk2P/uHTcbcpVBtQFTwx/6zb8oTPicvkPRr9TSm3jBjIhcy2f3OmHPBi 708AU84rIV++RpbXfqRbaHD4+C7X0s9x0LbI7E7gHrlY33dZkMISuqhP ACY=

pi@PiServer:~ $ delv raadsinformatie.nl
; fully validated
raadsinformatie.nl. 150 IN A 195.20.144.21
raadsinformatie.nl. 150 IN RRSIG A 8 2 300 20240405103410 20240314103410 40785 raadsinformatie.nl. mPOSmj7p8aRzQPS3Vbig/z2Dm0GHYTEiKo2Uzi2tNaFy6uIgTZ2ltmGa cLx0p+kqKuSaj1HotClQxUPbGoOzq9NWbbAy06GOFCzmiE/rhx+BOIc3 RG/egb3PX5zOc6M6wUC6rJSeXQmP4Q/s1TzdJuu+BR3wSsFKidfnSBJE S5k=

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.