Hi, (since last update) I can’t load some pages. Chrome error: ERR_NAME_RESOLUTION_FAILED. So far I found two unavalible domains : and
It happens on my own Omnii version 3.8 SPI Praha-Centrio-cable. And simultaneously on second Omnia (don’t know if is updated) which owns my non-IT uncle, He has default setup and doesn’t do any hacking with Omnia (he only bought it because of ‘security and reliability’) he uses DSL modem from his SPI together with Omnia.

If I setup Google DNS in my PC, than all is fine…

What should I do with Omnia? Is it KNOT DNS responsible for this?

Knot-resolver now validates by default in forwarding mode as well. I find it most likely that your ISP’s DNS servers obstruct some DNSSEC records. Easiest ways around that in Foris are either (a) leave forwarding and disable DNSSEC validation (basically the state you had before 3.8, apparently) or (b) disable forwarding and leave DNSSEC validation.

Thanks @vcunat I uncheckd “use forwarding” and now it works. btw I found also is not accessible for me with forwarding enabled.

So basically Turris doing all in the “right way” and therefore other parts of internet didn’t work? What should I tell to my provider?

I now re-tested all these domains on my Omnia 3.8 with forwarding to ISP’s servers (Starnet), and all resolved. Still, I wouldn’t blame the ISP without looking more closely. It might still be a problem in knot-resolver (or in multiple places).

I certainly find forwarding more fragile than direct iteration, as the protocol wasn’t designed with forwarding in mind and more intermediaries mean more risks. And the implementation in kresd is less tested than iteration :slight_smile:

So can you provide a recommend configuration for kresd to not break dns resolution with DNSSEC without forwarding?

I have the same issue, using Munich local provider

Configurations without forwarding should work, and so far I haven’t seen anyone complaining about those. If it doesn’t and fixed IP addresses do work (like basic ping, can you send Foris/Diagnostics for DNS, for start? (privately, if you prefer)

You should check if your ISP is doing DNSSEC if you want to use their DNS. For this, you can do
dig @your_isp_dns +dnssec

You should have the “ad” flag in the answer. If not or if you get an error then your ISP DNS resolver are not able to do DNSSEC and you should not use them.

It’s not important whether the ISP does validation or not (and the corresponding AD flag). It’s important whether the servers return correct DNSSEC records. kresd queries servers with +cd and does its own validation anyway. (All this assuming forwarding with validation.)

Guys, if I’m understanding the situation correctly, this update broke my router too (because my ISP doesn’t do DNSSEC properly). Nothing would resolve, and I had to turn forwarding off to fix it. (I now find, from this thread, that instead I can leave forwarding on but turn off DNSSEC and that works, so I’m using that configuration now.)

It’s really not acceptable for updates to make changes to the default config like this, particularly given that you know (as it says so in the UI) that some ISPs have broken DNSSEC support. Please don’t do that sort of thing again, OK? :slight_smile: