Unable to resolve .eu TLD about unbound HOT 5 OPEN

From looking at the logs, it seems that the issue is that Unbound is configured to DNSSEC validate. The .eu DNSKEY is too large to fit in a UDP response. UDP responses work fine, but the TCP response fails with a timeout. This happens again and again, until you give up. Perhaps the firewall is set to allow UDP but not TCP traffic? TCP traffic does not get answers, and this is why the resolution fails, it works but the DNSSEC verification fails to fetch the .eu DNSKEY RRset because it is large and needs to use TCP for transport, and TCP traffic fails with timeout. Unbound tries several of the upstream forwarders that are configured.

from unbound.

Well, disabling DNSSEC validation per this page in the docs does in fact make it work again.

I also tried disabling all rules in iptables and the firewall on my modem, neither seemed to matter. I also have no trouble setting up any other TCP connections, and it seems to be relatively recent development (it started around the beginning of this week). Do you know if there's a reliable way to test if this is a firewall issue of some kind?

from unbound.

Supposedly when Unbound makes a TCP connection, this is very similar to performing a dig +tcp @that_ip_address query_name. From the same host as where unbound is running. If the option for outgoing interface is set, that would change the outgoing interface for that.

from unbound.

dig +tcp loots.eu @1.1.1.1 works fine. I tried with +dnssec +tpc to eu as well, seeing as somehow that would seem be the issue but everything came through fine.

from unbound.

If it works like that then why can Unbound not do it? It is really doing the same thing; unless you use configuration options like outgoing-interface, or socket options, or TLS settings.

from unbound.