Hi,
I’ve Omnia with the latest firmware 3.9.2 and I still experience problems with DNSSEC and with the standard Omnia configuration - nothing special configured. I know about two services that doesn’t work with Omnia DNSSEC. One of them is mozilla.com - my Firefox isn’t able to automatically download new update. The second are HBO Go servers - HBO Client on my LG Smart TV can’t connect them.
it seems their validator is confused by DS query when CNAME appears. EDIT: and this case fails also when I add +cd (!!)
As a workaround, disabling forwarding should work, as knot-resolver’s validator doesn’t suffer from this. I can’t really see what your ISP’s server returns, but I assume it’s a similar problem to my ISP’s.
Just want to add that I also have the same problem witch access Mozilla CDN and I am forwarding DNS requets to the the following DNS servers there are public available (from https://blog.uncensoreddns.org/):
91.239.100.100
89.233.43.71
In all such cases I can mainly recommend to (1) report the failing query to admins of such servers and/or (2) disable forwarding or choose more “reliable” servers. (Or disable DNSSEC validation, but I do not recommend that.)
That’s correct. The records don’t exist, because cloudfront.net provably chooses not to use DNSSEC (and their answer also has some minor problems, but nothing too bad). That should lead to NOERROR empty answer, not to SERVFAIL. I also recommend to the link inside to dnsviz.net analysis from Verisign.
I still have a SERVFAIL error when trying to resolve “download.cdn.mozilla.net” and other Mozilla CDNs with forwarding to my ISP DNS (Orange.fr : 80.10.246.134, 81.253.149.5)
I tried custom kresd config trust_anchors.negative = { 'download.cdn.mozilla.net' } with NO success.
I have Turris Omnia version 3.10.3 with Knot DNS Resolver, version 2.3.0
About kresd, is there a CLI command (via socat - UNIX-CONNECT:rundir/tty/* ) to list currently active FORWARD policies ?
Seems either be inssue with kresd and/or the upstream resolver from Orange.
Try with another upstream resolver, e.g. 9.9.9.9 or 1.1.1.1 or 8.8.8.8. If works than the issue would appear to be with Orange’s DNS resolver. If it still happens than it would more likely be an issue with kresd
See if there is a difference in out put between dig @80.10.246.134 download.cdn.mozilla.net +dnssec and dig @9.9.9.9 download.cdn.mozilla.net +dnssec
With unbound just ran dig download.cdn.mozilla.net +dnssec
Note that the ADflag is absent from the response (that is with any upstream resolver I tried). Maybe that leads kresd to SERVFAIL - I am not familiar with the kresd error message causes however
That seems very likely. You may also want to disable forwarding instead. (It depends a bit on situation, but that’s generally the mode preferred by me.)