On Mon, Feb 03, 2020 at 07:58:24PM +0100, Solene Rapenne wrote: > On Mon, Feb 03, 2020 at 07:52:29PM +0100, Florian Obser wrote: > > On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote: > > > I re-enabled unwind today (i was using append instead of prepend in > > > dhclient.conf) and I got a few issues resolving domains, often the first > > > time, if I try again I get a result. I'm pretty sure it's not a bug, but > > > I have no idea what's happening here, so maybe log output or > > > documentation could be enhanced. > > > > > > > > > From /var/log/messages (192.168.1.254 is dns from my dhcp) > > > > > > Feb 3 17:55:44 solene unwind[18044]: validation failure > > > <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for > > > key org. while building chain of trust > > > Feb 3 18:05:10 solene unwind[18044]: validation failure <google.fr. A > > > IN>: no DNSSEC records from 192.168.1.254 for DS google.fr. while > > > building chain of trust > > > Feb 3 18:05:18 solene unwind[18044]: validation failure <google.it. A > > > IN>: no signatures from 192.168.1.254 for DS it. while building chain of > > > trust > > > > > > > Looks like your dhcp nameserver strips DNSSEC in a weird way. > > Can you please show > > > > dig @192.168.1.254 +dnssec . SOA > > and > > dig @192.168.1.254 org DNSKEY > > > > -- > > I'm not entirely sure you are real. > > > > sure :) > > solene@t480 ~ $ dig @192.168.1.254 +dnssec . SOA > > ; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 +dnssec . SOA > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63346 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;. IN SOA > > ;; ANSWER SECTION: > . 84857 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2020020301 1800 900 604800 86400 > > ;; Query time: 25 msec > ;; SERVER: 192.168.1.254#53(192.168.1.254) > ;; WHEN: Mon Feb 03 19:54:35 CET 2020 > ;; MSG SIZE rcvd: 103 >
for the archives: 192.168.1.254 is stripping rrsigs but unwind thinks dhcp is validating. This is wrong and we need to figure out why. -- I'm not entirely sure you are real.
