Hi, I'm trying to deploy an unbound installation in Ubuntu 16.04, but with no success enabling DNSSEC.
# Configuration (unbound.conf): ============================================= server: # DNSSEC anchor key trust-anchor-file: "/var/lib/unbound/root.key" # Root Servers information root-hints: "/var/lib/unbound/root.hints" # interfaces serving DNS interface: 0.0.0.0 interface: ::0 # access control access-control: x.x.x.x/21 allow access-control: 100.64.0.0/10 allow access-control: 10.0.0.0/8 allow access-control: 172.16.0.0/12 allow access-control: 192.168.0.0/16 allow # more options hide-identity: yes hide-version: yes do-ip4: yes do-ip6: yes do-udp: yes do-tcp: no # remote control remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 953 server-key-file: "/etc/unbound/unbound_server.key" server-cert-file: "/etc/unbound/unbound_server.pem" control-key-file: "/etc/unbound/unbound_control.key" control-cert-file: "/etc/unbound/unbound_control.pem" ======================= # Root Key and Root Hints: "/var/lib/unbound/root.key" has " https://nlnetlabs.nl/downloads/unbound/root-11sep-11oct.key"; content "/var/lib/unbound/root.hints" has "ftp://ftp.internic.net/domain/named.cache"; content ====================== # Results: when trust-anchor-file: "/var/lib/unbound/root.key" is inactive (commented), all sites are resolved correctly, but with no DNSSEC support ( rootcanary.org/test.html show only yellow padlocks) when trust-anchor-file: "/var/lib/unbound/root.key" is active (uncommented), all .org domains aren't resolved (other domains are resolved correctly): # Sites that are not resolved: fire.org rootcanary.org under-linux.org telegram.org What can I try to solve this?
