I have a pi-hole setup with unbound as a recursive dns server as described in the following articel: unbound - Pi-hole documentation
But Pi-hole/Unbound cannot resolve the follwing domain:
https://www.raadsinformatie.nl/
I get an SERVFAIL
When I use the following website:
https://dnsviz.net/d/raadsinformatie.nl/dnssec/
I get the following errors:
The DS RRset for the zone included algorithm 5 (RSASHA1), but no DS RR matched a DNSKEY with algorithm 5 that signs the zone's DNSKEY RRset.
The question I have: can pi-hole/unbound not resolve this domain because of the error message on de DS entry?
In other words is this because of the DNSSEC configuration of the domain or is my pi-hole/unbound not configured correctly?
Hope someone can point me in the right direction.
If I use another DNS server, the domain is resolved correctly
I don't have issues with other domains, as far as I can see.
Thanks for your help/information in advance.
I have enabled logging and see the following lines
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: query response was ANSWER
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 2001:4860:4802:38::6e#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: error sending query to auth server 2001:4860:4802:38::6e port 53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 2001:4860:4802:34::6e#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: error sending query to auth server 2001:4860:4802:34::6e port 53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 2001:4860:4802:36::6e#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: error sending query to auth server 2001:4860:4802:36::6e port 53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 2001:4860:4802:32::6e#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: error sending query to auth server 2001:4860:4802:32::6e port 53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: sending query: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: sending to target: <raadsinformatie.nl.> 216.239.34.110#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: cache memory msg=327177 rrset=740114 infra=436338 val=121918 subnet=74504
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_reply
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: iterator operate: query raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: response for raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: reply from <raadsinformatie.nl.> 216.239.34.110#53
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: query response was ANSWER
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: processQueryTargets: raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: request has exceeded the maximum number of sends with 33
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: return error response SERVFAIL
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: validator operate: query raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: subnet operate: query raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: validator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: validator operate: query raadsinformatie.nl. A IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: Could not establish a chain of trust to keys for raadsinformatie.nl. DNSKEY IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] info: subnet operate: query raadsinformatie.nl. A IN
Mar 18 04:45:38 DietPi unbound[1728]: Mar 18 04:45:38 unbound[1728:0] debug: cache memory msg=327177 rrset=740114 infra=436338 val=121918 subnet=74504
Mar 18 04:45:39 DietPi unbound[1728]: Mar 18 04:45:39 unbound[1728:0] debug: subnet[module 0] operate: extstate:module_state_initial event:module_event_new
Mar 18 04:45:39 DietPi unbound[1728]: Mar 18 04:45:39 unbound[1728:0] info: subnet operate: query acp-ss-ew1.adobe.io. A IN
Mar 18 04:45:39 DietPi unbound[1728]: Mar 18 04:45:39 unbound[1728:0] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_pass
Update:
I added the following to my config:
domain-insecure: raadsinformatie.nl
And now the domain gets resolved
I am still curious if this is configuration issue from pi-hole/unbound, or does this domain doesn't have his dnssec implementation correctly in-place?