On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote: > I re-enabled unwind today (i was using append instead of prepend in > dhclient.conf) and I got a few issues resolving domains, often the first > time, if I try again I get a result. I'm pretty sure it's not a bug, but > I have no idea what's happening here, so maybe log output or > documentation could be enhanced. > > > From /var/log/messages (192.168.1.254 is dns from my dhcp) > > Feb 3 17:55:44 solene unwind[18044]: validation failure > <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for key > org. while building chain of trust > Feb 3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: > no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain > of trust > Feb 3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: > no signatures from 192.168.1.254 for DS it. while building chain of trust >
Looks like your dhcp nameserver strips DNSSEC in a weird way. Can you please show dig @192.168.1.254 +dnssec . SOA and dig @192.168.1.254 org DNSKEY -- I'm not entirely sure you are real.
