# Why must each nameserver in LAN support DNSSEC when using local_unbound?



## sdf (Aug 22, 2018)

Hello,



> If any of the listed nameservers do not support DNSSEC, local DNS resolution will fail. Be sure to test each nameserver and remove any that fail the test.



Why？

Thanks.


----------



## rigoletto@ (Aug 22, 2018)

Because DNSSEC is ENABLED.


----------



## sdf (Aug 22, 2018)

But why local DNS resolution will fail after DNSSEC is enabled?


----------



## rigoletto@ (Aug 22, 2018)

How have you configured your local stuff?

[EDIT]

If you have just a few machines you can do it inside the unbound.conf(5).


```
local-zone: "example.local." transparent
    local-data: "router.example.local IN A 10.0.0.1"
    
local-zone: "0.10.in-addr.arpa." static
    local-data: "1.0.0.10.in-addr.arpa IN PTR router.example.local"
```


----------



## ShelLuser (Aug 22, 2018)

Local servers don't need to have DNSSEC enabled, it all depends on how you configured your resolver and what domains you're trying to access.


----------



## sdf (Aug 22, 2018)

Single vm machine, no DNS server,  and if DNSSEC is not disable,  the domain name will not be resolved.


----------



## rigoletto@ (Aug 22, 2018)

sdf

It is hard to get what is going on in there with the information you provided. Can you describe the entire situation, including how that domain was configured and if that is a registered domain or a private one ( something.local )?


----------



## sdf (Aug 22, 2018)

One  virtual machine

/etc/resolv.conf
search example.com
nameserver 192.168.1.1      # This is the Lan interface of a wireless router.

Then `service local_unbound onestart`.
No configuration of unbound.conf has been modified.


# drill -S freebsd.org @192.168.1.1
:: Number of trusted keys: 2
:: Chasing: freebsd.org. A

DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
:: Chase failed.

# ping -c1 freebsd.org
ping: cannot resolv freebsd.org: Host name lookup failure


----------



## hruodr (Apr 18, 2019)

Was an answer found to this question?

I have an installation that fails and other that success with the same server on the home router.

I think I need a certificate in the computer in which fails.



sdf said:


> DNSSEC Trust tree:
> <no data>
> No trusted keys found in tree: first error was: No DNSSEC public key(s)
> :: Chase failed.


----------

