Hi,
the issue seems to be with the domain itself as it looks like they are rated as insecure, because the domain doesn’t seems to have a valid DNSKEY.
I did some tracing and found following
1st test was to ask Quad9 public DNS server
10:33:35.300433 eth0 Out IP 192.168.0.79.48107 > 9.9.9.9.53: 23302+ [1au] A? registry.sx. (52)
10:33:40.306411 eth0 Out IP 192.168.0.79.48107 > 9.9.9.9.53: 23302+ [1au] A? registry.sx. (52)
10:33:40.334514 eth0 In IP 9.9.9.9.53 > 192.168.0.79.48107: 23302$ 1/0/1 A 98.129.229.208 (56)
You see the request going out from my system and is getting an answer a couple of seconds later with IP 98.129.229.208
That’s fine even if it takes quite long
2nd test is to ask unbound
10:33:58.748844 lo In IP 127.0.0.1.56432 > 127.0.0.1.5335: UDP, length 52
10:33:58.748995 lo In IP 127.0.0.1.5335 > 127.0.0.1.56432: UDP, length 40
10:33:58.749073 eth0 Out IP 192.168.0.79.25940 > 185.159.198.10.53: 6319% [1au] A? REGIstRy.Sx. (40)
10:33:58.773714 eth0 In IP 185.159.198.10.53 > 192.168.0.79.25940: 6319*- 2/0/1 A 98.129.229.208, RRSIG (238)
10:33:58.774006 eth0 Out IP 192.168.0.79.57719 > 185.159.198.10.53: 48290% [1au] DNSKEY? sx. (31)
10:33:58.797434 eth0 In IP 185.159.198.10.53 > 192.168.0.79.57719: 48290*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.797767 eth0 Out IP 192.168.0.79.59599 > 185.159.197.10.53: 56369% [1au] DNSKEY? sx. (31)
10:33:58.829119 eth0 In IP 185.159.197.10.53 > 192.168.0.79.59599: 56369*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.829391 eth0 Out IP 192.168.0.79.29279 > 185.159.197.10.53: 11324% [1au] DNSKEY? Sx. (31)
10:33:58.864997 eth0 In IP 185.159.197.10.53 > 192.168.0.79.29279: 11324*- 3/0/1 DNSKEY, DNSKEY, RRSIG (747)
10:33:58.865928 eth0 Out IP 192.168.0.79.33957 > 185.159.197.10.53: 7497% [1au] DNSKEY? sX. (31)
10:33:58.902094 eth0 In IP 185.159.197.10.53 > 192.168.0.79.33957: 7497*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.902432 eth0 Out IP 192.168.0.79.51425 > 185.159.197.10.53: 10905% [1au] DNSKEY? sx. (31)
10:33:58.937879 eth0 In IP 185.159.197.10.53 > 192.168.0.79.51425: 10905*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
First lines you see my system asking unbound and later on unbound is going to check with rootDNS server. There I’m getting the answer 98.129.229.208 as well. However unbound is not accepting it and continue to ask the rootDNS server for a valid DNSKEY. As this doesn’t happen, unbound is not able to complete your request and will print SERVFAIL as shown on your dig request.
Question is now how to overcome this. There are a couple of options provide on unbound documentation https://www.nlnetlabs.nl/documentation/unbound/howto-turnoff-dnssec/
To avoid to disable DNSSEC completely, you could go with option 4 and exclude your insecure domain from being checked. This can be done as follow.
echo -e 'server:\n domain-insecure: "registry.sx"' > /etc/unbound/unbound.conf.d/domain-insecure.conf
systemctl restart unbound
Now the request should complete successfully
11:02:43.759920 lo In IP 127.0.0.1.57623 > 127.0.0.1.5335: UDP, length 52
11:02:43.760092 eth0 Out IP 192.168.0.79.17909 > 192.112.36.4.53: 28289% [1au] NS? . (28)
11:02:43.791020 eth0 In IP 192.112.36.4.53 > 192.168.0.79.17909: 28289*- 14/0/27 NS k.root-servers.net., NS d.root-servers.net., NS m.root-servers.net., NS l.root-servers.net., NS i.root-servers.net., NS b.root-servers.net., NS h.root-servers.net., NS c.root-servers.net., NS f.root-servers.net., NS a.root-servers.net., NS e.root-servers.net., NS j.root-servers.net., NS g.root-servers.net., RRSIG (1097)
11:02:43.791272 eth0 Out IP 192.168.0.79.38750 > 199.9.14.201.53: 45631% [1au] A? sx. (31)
11:02:43.791340 eth0 Out IP 192.168.0.79.27435 > 192.203.230.10.53: 21767% [1au] DNSKEY? . (28)
11:02:43.818873 eth0 In IP 192.203.230.10.53 > 192.168.0.79.27435: 21767*- 3/0/1 DNSKEY, DNSKEY, RRSIG (864)
11:02:43.818873 eth0 In IP 199.9.14.201.53 > 192.168.0.79.38750: 45631- 0/6/5 (577)
11:02:43.819133 eth0 Out IP 192.168.0.79.35284 > 185.159.197.10.53: 42768% [1au] A? rEGiStRY.sX. (40)
11:02:43.819281 eth0 Out IP 192.168.0.79.51463 > 185.159.198.10.53: 56618% [1au] DNSKEY? Sx. (31)
11:02:43.844495 eth0 In IP 185.159.198.10.53 > 192.168.0.79.51463: 56618*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
11:02:43.851249 eth0 In IP 185.159.197.10.53 > 192.168.0.79.35284: 42768*- 2/0/1 A 98.129.229.208, RRSIG (238)
11:02:43.851338 lo In IP 127.0.0.1.5335 > 127.0.0.1.57623: UDP, length 56
root@DietPi:~# dig registry.sx @127.0.0.1 -p 5335
; <<>> DiG 9.16.15-Debian <<>> registry.sx @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35269
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;registry.sx. IN A
;; ANSWER SECTION:
registry.sx. 300 IN A 98.129.229.208
;; Query time: 91 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Sep 09 11:02:43 CEST 2021
;; MSG SIZE rcvd: 56
root@DietPi:~#
But honestly it would be better if the domain would be able to provide a valid DNSKEY.