Thanks for looking into this. I have added some other sites that also present this problem to the issue.
best, hank On Wed, May 23, 2018 at 8:58 AM, Petr Špaček via Unbound-users < unbound-users@unbound.net> wrote: > On 23.5.2018 15:46, W.C.A. Wijngaards via Unbound-users wrote: > >> Hi Hank, >> >> On 23/05/18 15:23, Hank Barta via Unbound-users wrote: >> >>> Hi all, >>> I use pfsense for my firewall and have selected the unbound resolver for >>> DNS on my home LAN. I have configured this to use Cloudflare DNS with >>> DNSSEC enabled. In addition to checking the "Enable DNSSEC Support" >>> checkbox on the DNS Resolver configuration page I have added the custom >>> options >>> >> >> The 1.1.1.1 server responds without DNSSEC for coder.show DS queries. >> And for an insecure referral it needs DS denial information for type DS, >> eg. the NSEC or NSEC3 from the .show TLD. >> >> Without the forward to 1.1.1.1 it works fine for me. So it doesn't seem >> to be the .show TLD or coder.show site, but the 1.1.1.1 unsigned CNAME >> for qtype DS. >> >> A workaround is domain-insecure: "coder.show" in unbound.conf >> > > This is most likely a bug in Knot Resolver and we are working on fix: > https://gitlab.labs.nic.cz/knot/knot-resolver/issues/359 > > -- > Petr Špaček @ CZ.NIC > -- '03 BMW F650CS - hers '98 Dakar K12RS - "BABY K" grew up. '93 R100R w/ Velorex 700 (MBD starts...) '95 Miata - "OUR LC" polish visor: apply squashed bugs, rinse, repeat Beautiful Sunny Winfield, Illinois