Hi, hold off on this question I may have located something wrong in my authoritative dns server that I program and maintain.
dig @yellow.centroid.eu +dnssec 2019.schweinfurtdating.de aaaa gives a wrong answer and has nothing to do with unwind. Sorry partially because it made me look closer, but sorry for the noise. Regards, -peter On Sun, Apr 07, 2019 at 04:06:20PM +0200, Peter J. Philipp wrote: > Hi, > > A few days ago I had some trouble resolving my website schweinfurtdating.de > from home. Chrome running on OpenBSD-current from March 18th would report > NXDOMAIN. I had to reload a few times to get the webpage, it was a weird > experience. Since I run a very unique dns setup with TSIG'ed BIND nameservers > at first I thought it was anywhere between application layer and those servers > inbetween. > > However when I checked schweinfurtdating.de today the image refused to load > and I found that very weird. I happen to run a log of the lookups and found > this: > > Apr 7 15:30:09 yellow delphinusdnsd[9644]: request on descriptor 16 > interface " > 2001:19f0:6c01:1fad::1" from 2003:cb:3fff:4c23:b7c7:eef2:da93:5f15 (ttl=56, > regi > on=8) for "2019.schweinfurtdating.de." type=AAAA(28) class=1, edns0, > dnssecok, a > nswering "2019.schweinfurtdating.de." (54/54) > > Apr 7 15:30:09 yellow delphinusdnsd[85741]: request on descriptor 3 > interface " > 2001:19f0:6c01:1fad::1" from 2003:cb:3fff:4c23:b7c7:eef2:da93:5f15 (ttl=TCP, > reg > ion=8) for "2019.schweinfurtdating.de." type=AAAA(28) class=1, edns0, > dnssecok, > answering "2019.schweinfurtdating.de." (54/56) > > Apr 7 15:30:09 yellow delphinusdnsd[9644]: request on descriptor 16 > interface $ > 2001:19f0:6c01:1fad::1" from 2003:cb:3fff:4c23:b7c7:eef2:da93:5f15 (ttl=56, > reg$ > on=8) for "de.centroid.eu." type=A(1) class=1, edns0, dnssecok, answering > "NXDO$ > AIN" > > So there is a lookup right after 2019.schweinfurtdating.de from the same IP6 > that isn't even in my forwarders and my server replied with NXDOMAIN. I > hunted through my html text to see > where it got de.centroid.eu from and it doesn't exist. So I'm wondering if > unwind is somehow generating the lookup for de.centroid.eu falsely and somehow > influencing chrome? Perhaps treating a lookup as an NXDOMAIN'ed answer? > > My /etc/unwind.conf file looks like this: > > beta$ more /etc/unwind.conf > forwarder 192.168.177.3 > > And somehow unwind is not preferring the forwarder for some reason. Is this > a misconfig on my end? I want it to always use 192.168.177.3, as otherwise > the DNS travels through DTAG (telekom.de), and I don't want that. The log > does state though it came from DTAG. > > Many questions in one, I'm trying to figure out what went wrong that day and > this lookup today. > > Regards, > -peter
