Re: Unwind + NSD usage question
On Tue, Sep 28, 2021, at 11:22, Brian Brombacher wrote:
>> On Sep 27, 2021, at 8:52 PM, abyx...@mnetic.ch wrote:
>>
>> Hello, trying to set up unwind with nsd on the same machine serving a
>> internal domain (home.arpa) with all my machines being part of that domain,
>> eg router.home.arpa. If I point dig at my nsd instance (dig @127.0.0.1 -p
>> 10053 router.home.arpa. A) I see my subdomains in the zone all being
>> returned (router.home.arpa. -> 10.0.0.1). If I set nsd as a forwarder in
>> unwind.conf (forwarder 127.0.0.1 port 10053) though, things get weird. My
>> ISP doesn't return any results for home.arpa but some other servers (quad9
>> and cloudfare?) return a blackhole address pointing to prisoner.iana.org. If
>> I limit unwind to preference {forwarder recursor} I now get my local nsd
>> results for my domains as expected. If I comment out the preference line,
>> unwind eventually learns a server that will answer to home.arpa with the
>> blackhole prisoner.iana.org address (at least a minute in, sometimes longer,
>> makes testing difficult). The use of force forwarder {home.arpa} and force
>> accept bogus forwarder {home.arpa} don't appear to have any effect at all.
>> (Full configs and dmesg below).
>>
>> I dug through the code a bit, if I'm following it correctly in
>> sbin/unwind/resolver.c:check_resolver_done, nsd seems to be returning a
>> SERVFAIL and being marked dead (as confirmed with unwindctl status. I am not
>> sure I followed the code correctly at this point, but being set to DEAD
>> and/or returning a SERVFAIL seems to preempt the use of force accept bogus.
>> I am not sure what test unwind/libunbound are doing to check the health
>> status of the different resolvers but I have yet to see my nsd forwarder not
>> marked as "dead" in unwindctl status. Any ideas on how to debug this? This
>> happens on both 6.9 and -current. The -current dmesg is posted below.
>>
>>
>>
>> ---
>> router# cat /etc/unwind.conf
>>
>> forwarder {
>>127.0.0.1 port 10053
>> }
>>
>> force accept bogus forwarder { home.arpa }
>> #force autoconf { home.arpa }
>> preference { forwarder recursor }
>
> Shouldn’t this be:
>
> preference { recursor forwarder }
>
> The force forwarder is good enough for home.arpa to “prefer” (force)
> the use of the forwarder.
>
> This way your recursor will find results via the internet while
> home.arpa will go to NSD.
>
> I have not tested this, and I use unbound as others have described to
> forward local domains to my NSD.
The necessity of this ordering is brought about by NSD being marked as a
"DEAD" resolver. Overriding the ordering via the preference tag of course
brings about it's own problems.
Re: Unwind + NSD usage question
> On Sep 27, 2021, at 8:52 PM, abyx...@mnetic.ch wrote:
>
> Hello, trying to set up unwind with nsd on the same machine serving a
> internal domain (home.arpa) with all my machines being part of that domain,
> eg router.home.arpa. If I point dig at my nsd instance (dig @127.0.0.1 -p
> 10053 router.home.arpa. A) I see my subdomains in the zone all being returned
> (router.home.arpa. -> 10.0.0.1). If I set nsd as a forwarder in unwind.conf
> (forwarder 127.0.0.1 port 10053) though, things get weird. My ISP doesn't
> return any results for home.arpa but some other servers (quad9 and
> cloudfare?) return a blackhole address pointing to prisoner.iana.org. If I
> limit unwind to preference {forwarder recursor} I now get my local nsd
> results for my domains as expected. If I comment out the preference line,
> unwind eventually learns a server that will answer to home.arpa with the
> blackhole prisoner.iana.org address (at least a minute in, sometimes longer,
> makes testing difficult). The use of force forwarder {home.arpa} and force
> accept bogus forwarder {home.arpa} don't appear to have any effect at all.
> (Full configs and dmesg below).
>
> I dug through the code a bit, if I'm following it correctly in
> sbin/unwind/resolver.c:check_resolver_done, nsd seems to be returning a
> SERVFAIL and being marked dead (as confirmed with unwindctl status. I am not
> sure I followed the code correctly at this point, but being set to DEAD
> and/or returning a SERVFAIL seems to preempt the use of force accept bogus. I
> am not sure what test unwind/libunbound are doing to check the health status
> of the different resolvers but I have yet to see my nsd forwarder not marked
> as "dead" in unwindctl status. Any ideas on how to debug this? This happens
> on both 6.9 and -current. The -current dmesg is posted below.
>
>
>
> ---
> router# cat /etc/unwind.conf
>
> forwarder {
>127.0.0.1 port 10053
> }
>
> force accept bogus forwarder { home.arpa }
> #force autoconf { home.arpa }
> preference { forwarder recursor }
Shouldn’t this be:
preference { recursor forwarder }
The force forwarder is good enough for home.arpa to “prefer” (force) the use of
the forwarder.
This way your recursor will find results via the internet while home.arpa will
go to NSD.
I have not tested this, and I use unbound as others have described to forward
local domains to my NSD.
> #preference { recursor DoT forwarder }
> ---
>
>
> ---
> router# cat /var/nsd/etc/nsd.conf
>
> # $OpenBSD: nsd.conf,v 1.13 2018/08/16 17:59:12 florian Exp $
>
> server:
>hide-version: yes
>verbosity: 1
>database: "" # disable database
>
> ## bind to a specific address/port
>ip-address: 127.0.0.1@10053
>
> ## make packets as small as possible, on by default
> # minimal-responses: yes
>
> ## respond with truncation for ANY queries over UDP and allow ANY over TCP,
> ## on by default
> # refuse-any: yes
>
> remote-control:
>control-enable: yes
>control-interface: /var/run/nsd.sock
>
> zone:
>name: "home.arpa."
>zonefile: "master/home.arpa"
> ---
>
>
> ---
> router# unwindctl status
>
> 1. recursorvalidating, 30ms 2. forwarder dead, 15ms
>
> histograms: lifetime[ms], decaying[ms]
> <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 >
> rec 1634 1008 1014 619 292 339 973 667 15626 7 1
> 1614 8 6 1 3 6 5 0 0 0 0
> forw 223886 0 0 0 0 0 0 0 0 0 0
> 19 0 0 0 0 0 0 0 0 0 0 0
> ---
>
>
> ---
> router# dig @127.0.0.1 home.arpa. A
>
> ; <<>> dig 9.10.8-P1 <<>> @127.0.0.1 home.arpa. A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41102
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;home.arpa. IN A
>
> ;; ANSWER SECTION:
> home.arpa. 413 IN A 10.0.0.1
>
> ;; Query time: 62 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Sep 27 20:46:38 EDT 2021
> ;; MSG SIZE rcvd: 43
> ---
>
>
> ---
> router# dig @9.9.9.9 home.arpa. A
>
> ; <<>> dig 9.10.8-P1 <<>> @9.9.9.9 home.arpa. A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53702
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;home.arpa. IN A
>
> ;; AUTHORITY SECTION:
> home.arpa. 3600IN SOA
Re: Unwind + NSD usage question
On Tue, Sep 28, 2021, at 06:25, Paul de Weerd wrote:
> Hi,
>
> Why do you set your NSD as a forwarder? How is unbound supposed to
> know what queires should go to your NSD versus the rest of the
> internet?
Thanks Paul and Otto. I chose NSD here because it looked much easier than
unbound to set up and my background isn't in networking. I set it as the
forwarder
because I misread, misunderstood, or disagree with the force and force
accept bogus section in unwind.conf(5). The force example at the bottom of
unwind.conf(5) suggests that such usage was considered, and the accept bogus
keyword reads like it would be appropriate for this use case, but assuming my
reading of the code is correct, then DEAD trumps bogus. From your replies, it
makes sense that NSD is being marked as DEAD.
>From my read of the code, adding another state to mark resolvers as "partially
available" would just needlessly complicate things. I think for my specific use
(correct or not), allowing accept bogus to ignore DEAD and attempt to get an
answer anyway from a forced resolver match would be the "easiest", but I'm
not sure what failure cases that creates.
I'll poke around at unbound a bit in the meanwhile, thanks.
>
> Otto's answer is a good solution, but I wanted to share mine:
>
> If you have your NSD setup running to only serve those
> 'router.home.arpa' records and rDNS for your addresses, you could
> configure unbound to request those from the local NSD, while taking
> the rest from the internet:
>
> local-zone: "10.in-addr.arpa." nodefault
>
> stub-zone:
> name: router.home.arpa
> stub-addr: 127.0.0.1@10053
>
> stub-zone:
> name: 10.in-addr.arpa
> stub-addr: 127.0.0.1@10053
>
> That's exactly what I do (well, my zones differ, and my NSD listens on
> ::1@54, but you get my point) and it works very well.
>
> Paul 'WEiRD' de Weerd
>
> On Mon, Sep 27, 2021 at 08:50:06PM -0400, abyx...@mnetic.ch wrote:
> | Hello, trying to set up unwind with nsd on the same machine serving
> | a internal domain (home.arpa) with all my machines being part of
> | that domain, eg router.home.arpa. If I point dig at my nsd instance
> | (dig @127.0.0.1 -p 10053 router.home.arpa. A) I see my subdomains in
> | the zone all being returned (router.home.arpa. -> 10.0.0.1). If I
> | set nsd as a forwarder in unwind.conf (forwarder 127.0.0.1 port
> | 10053) though, things get weird. My ISP doesn't return any results
> | for home.arpa but some other servers (quad9 and cloudfare?) return a
> | blackhole address pointing to prisoner.iana.org. If I limit unwind
> | to preference {forwarder recursor} I now get my local nsd results
> | for my domains as expected. If I comment out the preference line,
> | unwind eventually learns a server that will answer to home.arpa with
> | the blackhole prisoner.iana.org address (at least a minute in,
> | sometimes longer, makes testing difficult). The use of force
> | forwarder {home.arpa} and force accept bogus forwarder {home.arpa}
> | don't appear to have any effect at all. (Full configs and dmesg
> | below).
> |
> | I dug through the code a bit, if I'm following it correctly in
> | sbin/unwind/resolver.c:check_resolver_done, nsd seems to be
> | returning a SERVFAIL and being marked dead (as confirmed with
> | unwindctl status. I am not sure I followed the code correctly at
> | this point, but being set to DEAD and/or returning a SERVFAIL seems
> | to preempt the use of force accept bogus. I am not sure what test
> | unwind/libunbound are doing to check the health status of the
> | different resolvers but I have yet to see my nsd forwarder not
> | marked as "dead" in unwindctl status. Any ideas on how to debug
> | this? This happens on both 6.9 and -current. The -current dmesg is
> | posted below.
> |
> |
> |
> | ---
> | router# cat /etc/unwind.conf
>
> | forwarder {
> | 127.0.0.1 port 10053
> | }
> |
> | force accept bogus forwarder { home.arpa }
> | #force autoconf { home.arpa }
> | preference { forwarder recursor }
> | #preference { recursor DoT forwarder }
> | ---
> |
> |
> | ---
> | router# cat /var/nsd/etc/nsd.conf
>
> | # $OpenBSD: nsd.conf,v 1.13 2018/08/16 17:59:12 florian Exp $
> |
> | server:
> | hide-version: yes
> | verbosity: 1
> | database: "" # disable database
> |
> | ## bind to a specific address/port
> | ip-address: 127.0.0.1@10053
> |
> | ## make packets as small as possible, on by default
> | # minimal-responses: yes
> |
> | ## respond with truncation for ANY queries over UDP and allow ANY
> over TCP,
> | ## on by default
> | # refuse-any: yes
> |
> | remote-control:
> | control-enable: yes
> | control-interface: /var/run/nsd.sock
> |
> | zone:
> | name: "home.arpa."
> | zonefile: "master/home.arpa"
> | ---
> |
Re: Unwind + NSD usage question
Hello Paul, Paul de Weerd wrote on Tue, Sep 28, 2021 at 12:44:07PM +0200: > 'local-data-ptr:' in unbound.conf(5): > http://man.openbsd.org/unbound.conf#local~2 > http://man.openbsd.org/unbound.conf#local~3 heh, thank you for *both* of these bug reports, i'm adding them to the mandoc TODO file for now, but neither is expected to be hard to fix: - tag.c, tag_put() should not put ASCII_HYPH into the tag file, which happens when the tag contains "-" on the input side weerd@ 28 Sep 2021 12:44:07 +0200 loc * exist * algo * size * imp *** - tag.c, tag_put() and callers like man_validate.c, check_tag() should not mistake "\-" as a word-ending escape sequence but instead translate it to plain "-" in the tag name weerd@ 28 Sep 2021 12:44:07 +0200 loc ** exist * algo * size * imp *** Yours, Ingo
Re: Unwind + NSD usage question
On Tue, Sep 28, 2021 at 12:25:30PM +0200, Paul de Weerd wrote: | Otto's answer is a good solution, but I wanted to share mine: Read Otto's answer too fast - he's basically talking about the same solution I think. Unbound has another alternative where you configure it to serve specific records authoritatively from its own configuration (which is what I thought Otto was talking about). Search for 'local-data:' and 'local-data-ptr:' in unbound.conf(5): http://man.openbsd.org/unbound.conf#local~2 http://man.openbsd.org/unbound.conf#local~3 Cheers, Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: Unwind + NSD usage question
Hi,
Why do you set your NSD as a forwarder? How is unbound supposed to
know what queires should go to your NSD versus the rest of the
internet?
Otto's answer is a good solution, but I wanted to share mine:
If you have your NSD setup running to only serve those
'router.home.arpa' records and rDNS for your addresses, you could
configure unbound to request those from the local NSD, while taking
the rest from the internet:
local-zone: "10.in-addr.arpa." nodefault
stub-zone:
name: router.home.arpa
stub-addr: 127.0.0.1@10053
stub-zone:
name: 10.in-addr.arpa
stub-addr: 127.0.0.1@10053
That's exactly what I do (well, my zones differ, and my NSD listens on
::1@54, but you get my point) and it works very well.
Paul 'WEiRD' de Weerd
On Mon, Sep 27, 2021 at 08:50:06PM -0400, abyx...@mnetic.ch wrote:
| Hello, trying to set up unwind with nsd on the same machine serving
| a internal domain (home.arpa) with all my machines being part of
| that domain, eg router.home.arpa. If I point dig at my nsd instance
| (dig @127.0.0.1 -p 10053 router.home.arpa. A) I see my subdomains in
| the zone all being returned (router.home.arpa. -> 10.0.0.1). If I
| set nsd as a forwarder in unwind.conf (forwarder 127.0.0.1 port
| 10053) though, things get weird. My ISP doesn't return any results
| for home.arpa but some other servers (quad9 and cloudfare?) return a
| blackhole address pointing to prisoner.iana.org. If I limit unwind
| to preference {forwarder recursor} I now get my local nsd results
| for my domains as expected. If I comment out the preference line,
| unwind eventually learns a server that will answer to home.arpa with
| the blackhole prisoner.iana.org address (at least a minute in,
| sometimes longer, makes testing difficult). The use of force
| forwarder {home.arpa} and force accept bogus forwarder {home.arpa}
| don't appear to have any effect at all. (Full configs and dmesg
| below).
|
| I dug through the code a bit, if I'm following it correctly in
| sbin/unwind/resolver.c:check_resolver_done, nsd seems to be
| returning a SERVFAIL and being marked dead (as confirmed with
| unwindctl status. I am not sure I followed the code correctly at
| this point, but being set to DEAD and/or returning a SERVFAIL seems
| to preempt the use of force accept bogus. I am not sure what test
| unwind/libunbound are doing to check the health status of the
| different resolvers but I have yet to see my nsd forwarder not
| marked as "dead" in unwindctl status. Any ideas on how to debug
| this? This happens on both 6.9 and -current. The -current dmesg is
| posted below.
|
|
|
| ---
| router# cat /etc/unwind.conf
| forwarder {
| 127.0.0.1 port 10053
| }
|
| force accept bogus forwarder { home.arpa }
| #force autoconf { home.arpa }
| preference { forwarder recursor }
| #preference { recursor DoT forwarder }
| ---
|
|
| ---
| router# cat /var/nsd/etc/nsd.conf
| # $OpenBSD: nsd.conf,v 1.13 2018/08/16 17:59:12 florian Exp $
|
| server:
| hide-version: yes
| verbosity: 1
| database: "" # disable database
|
| ## bind to a specific address/port
| ip-address: 127.0.0.1@10053
|
| ## make packets as small as possible, on by default
| # minimal-responses: yes
|
| ## respond with truncation for ANY queries over UDP and allow ANY over TCP,
| ## on by default
| # refuse-any: yes
|
| remote-control:
| control-enable: yes
| control-interface: /var/run/nsd.sock
|
| zone:
| name: "home.arpa."
| zonefile: "master/home.arpa"
| ---
|
|
| ---
| router# unwindctl status
| 1. recursorvalidating, 30ms 2. forwarder dead, 15ms
|
| histograms: lifetime[ms], decaying[ms]
| <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 >
| rec 1634 1008 1014 619 292 339 973 667 15626 7 1
| 1614 8 6 1 3 6 5 0 0 0 0
| forw 223886 0 0 0 0 0 0 0 0 0 0
| 19 0 0 0 0 0 0 0 0 0 0 0
| ---
|
|
| ---
| router# dig @127.0.0.1 home.arpa. A
|
| ; <<>> dig 9.10.8-P1 <<>> @127.0.0.1 home.arpa. A
| ; (1 server found)
| ;; global options: +cmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41102
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
|
| ;; QUESTION SECTION:
| ;home.arpa. IN A
|
| ;; ANSWER SECTION:
| home.arpa. 413 IN A 10.0.0.1
|
| ;; Query time: 62 msec
| ;; SERVER: 127.0.0.1#53(127.0.0.1)
| ;; WHEN: Mon Sep 27 20:46:38 EDT 2021
| ;; MSG SIZE rcvd: 43
| ---
|
|
| ---
| router# dig
Re: Unwind + NSD usage question
On Mon, Sep 27, 2021 at 08:50:06PM -0400, abyx...@mnetic.ch wrote:
> Hello, trying to set up unwind with nsd on the same machine serving a
> internal domain (home.arpa) with all my machines being part of that domain,
> eg router.home.arpa. If I point dig at my nsd instance (dig @127.0.0.1 -p
> 10053 router.home.arpa. A) I see my subdomains in the zone all being returned
> (router.home.arpa. -> 10.0.0.1). If I set nsd as a forwarder in unwind.conf
> (forwarder 127.0.0.1 port 10053) though, things get weird. My ISP doesn't
> return any results for home.arpa but some other servers (quad9 and
> cloudfare?) return a blackhole address pointing to prisoner.iana.org. If I
> limit unwind to preference {forwarder recursor} I now get my local nsd
> results for my domains as expected. If I comment out the preference line,
> unwind eventually learns a server that will answer to home.arpa with the
> blackhole prisoner.iana.org address (at least a minute in, sometimes longer,
> makes testing difficult). The use of force forwarder {home.arpa} and force
> accept bogus forwarder {home.arpa} don't appear to have any effect at all.
> (Full configs and dmesg below).
>
> I dug through the code a bit, if I'm following it correctly in
> sbin/unwind/resolver.c:check_resolver_done, nsd seems to be returning
> a SERVFAIL and being marked dead (as confirmed with unwindctl status.
> I am not sure I followed the code correctly at this point, but being
> set to DEAD and/or returning a SERVFAIL seems to preempt the use of
> force accept bogus. I am not sure what test unwind/libunbound are
> doing to check the health status of the different resolvers but I have
> yet to see my nsd forwarder not marked as "dead" in unwindctl status.
> Any ideas on how to debug this? This happens on both 6.9 and -current.
> The -current dmesg is posted below.
(Pleae wrap your lines).
Your issue might be that an NSD instance does not work as forwarding
target, since it is not an recursive resolver. unwind expects
forwarders to be able to resolve the whole DNS tree, even if they are
marked to be used for a subtree only.
I have a similar setup, but I am forwarding to a recursive resolver
that is authoritative for my local private domain. Any resolver I know
has that capability, e.g. with unbound you would use local.zone.
-Otto
>
>
>
> ---
> router# cat /etc/unwind.conf
>
> forwarder {
> 127.0.0.1 port 10053
> }
>
> force accept bogus forwarder { home.arpa }
> #force autoconf { home.arpa }
> preference { forwarder recursor }
> #preference { recursor DoT forwarder }
> ---
>
>
> ---
> router# cat /var/nsd/etc/nsd.conf
>
> # $OpenBSD: nsd.conf,v 1.13 2018/08/16 17:59:12 florian Exp $
>
> server:
> hide-version: yes
> verbosity: 1
> database: "" # disable database
>
> ## bind to a specific address/port
> ip-address: 127.0.0.1@10053
>
> ## make packets as small as possible, on by default
> # minimal-responses: yes
>
> ## respond with truncation for ANY queries over UDP and allow ANY over TCP,
> ## on by default
> # refuse-any: yes
>
> remote-control:
> control-enable: yes
> control-interface: /var/run/nsd.sock
>
> zone:
> name: "home.arpa."
> zonefile: "master/home.arpa"
> ---
>
>
> ---
> router# unwindctl status
>
> 1. recursorvalidating, 30ms 2. forwarder dead, 15ms
>
> histograms: lifetime[ms], decaying[ms]
> <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 >
> rec 1634 1008 1014 619 292 339 973 667 15626 7 1
> 1614 8 6 1 3 6 5 0 0 0 0
> forw 223886 0 0 0 0 0 0 0 0 0 0
> 19 0 0 0 0 0 0 0 0 0 0 0
> ---
>
>
> ---
> router# dig @127.0.0.1 home.arpa. A
>
> ; <<>> dig 9.10.8-P1 <<>> @127.0.0.1 home.arpa. A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41102
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;home.arpa. IN A
>
> ;; ANSWER SECTION:
> home.arpa. 413 IN A 10.0.0.1
>
> ;; Query time: 62 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Sep 27 20:46:38 EDT 2021
> ;; MSG SIZE rcvd: 43
> ---
>
>
> ---
> router# dig @9.9.9.9 home.arpa. A
>
> ; <<>> dig 9.10.8-P1 <<>> @9.9.9.9 home.arpa. A
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53702
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:;
Unwind + NSD usage question
Hello, trying to set up unwind with nsd on the same machine serving a internal
domain (home.arpa) with all my machines being part of that domain, eg
router.home.arpa. If I point dig at my nsd instance (dig @127.0.0.1 -p 10053
router.home.arpa. A) I see my subdomains in the zone all being returned
(router.home.arpa. -> 10.0.0.1). If I set nsd as a forwarder in unwind.conf
(forwarder 127.0.0.1 port 10053) though, things get weird. My ISP doesn't
return any results for home.arpa but some other servers (quad9 and cloudfare?)
return a blackhole address pointing to prisoner.iana.org. If I limit unwind to
preference {forwarder recursor} I now get my local nsd results for my domains
as expected. If I comment out the preference line, unwind eventually learns a
server that will answer to home.arpa with the blackhole prisoner.iana.org
address (at least a minute in, sometimes longer, makes testing difficult). The
use of force forwarder {home.arpa} and force accept bogus forwarder {home.arpa}
don't appear to have any effect at all. (Full configs and dmesg below).
I dug through the code a bit, if I'm following it correctly in
sbin/unwind/resolver.c:check_resolver_done, nsd seems to be returning a
SERVFAIL and being marked dead (as confirmed with unwindctl status. I am not
sure I followed the code correctly at this point, but being set to DEAD and/or
returning a SERVFAIL seems to preempt the use of force accept bogus. I am not
sure what test unwind/libunbound are doing to check the health status of the
different resolvers but I have yet to see my nsd forwarder not marked as "dead"
in unwindctl status. Any ideas on how to debug this? This happens on both 6.9
and -current. The -current dmesg is posted below.
---
router# cat /etc/unwind.conf
forwarder {
127.0.0.1 port 10053
}
force accept bogus forwarder { home.arpa }
#force autoconf { home.arpa }
preference { forwarder recursor }
#preference { recursor DoT forwarder }
---
---
router# cat /var/nsd/etc/nsd.conf
# $OpenBSD: nsd.conf,v 1.13 2018/08/16 17:59:12 florian Exp $
server:
hide-version: yes
verbosity: 1
database: "" # disable database
## bind to a specific address/port
ip-address: 127.0.0.1@10053
## make packets as small as possible, on by default
# minimal-responses: yes
## respond with truncation for ANY queries over UDP and allow ANY over TCP,
## on by default
# refuse-any: yes
remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
zone:
name: "home.arpa."
zonefile: "master/home.arpa"
---
---
router# unwindctl status
1. recursorvalidating, 30ms 2. forwarder dead, 15ms
histograms: lifetime[ms], decaying[ms]
<10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 >
rec 1634 1008 1014 619 292 339 973 667 15626 7 1
1614 8 6 1 3 6 5 0 0 0 0
forw 223886 0 0 0 0 0 0 0 0 0 0
19 0 0 0 0 0 0 0 0 0 0 0
---
---
router# dig @127.0.0.1 home.arpa. A
; <<>> dig 9.10.8-P1 <<>> @127.0.0.1 home.arpa. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41102
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;home.arpa. IN A
;; ANSWER SECTION:
home.arpa. 413 IN A 10.0.0.1
;; Query time: 62 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 27 20:46:38 EDT 2021
;; MSG SIZE rcvd: 43
---
---
router# dig @9.9.9.9 home.arpa. A
; <<>> dig 9.10.8-P1 <<>> @9.9.9.9 home.arpa. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53702
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;home.arpa. IN A
;; AUTHORITY SECTION:
home.arpa. 3600IN SOA prisoner.iana.org. hostmaster.ro
ot-servers.org. 1 1800 900 604800 604800
;; Query time: 37 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Mon Sep 27 20:46:57 EDT 2021
;; MSG SIZE rcvd: 115
---
---
router# dmesg
OpenBSD 7.0 (GENERIC.MP) #229: Fri Sep 24 12:00:02 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4259958784 (4062MB)
avail mem = 4114841600 (3924MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xcfe9e020 (13 entries)
bios0: vendor coreboot version "v4.12.0.1" date 05/29/2020
bios0: PC Engines apu4
