On Wed, Aug 05, 2020 at 07:19:29AM +0200, Peter J. Philipp wrote:
> Hi,
>
> Aug 5 07:09:55 beta unwind[1703]: startup
> Aug 5 07:09:59 beta unwind[62921]: validation failure
> <eta.internal.centroid.eu
> . A IN>: no DNSSEC records from 192.168.177.1 for DS internal.centroid.eu.
> while
> building chain of trust
>
> Let me describe my setup. Here is my unwind.conf:
>
> beta# more /etc/unwind.conf
> forwarder 192.168.177.1
> preference forwarder
>
> At 192.168.177.1 runs a forwarding delphinusdnsd (snapshot version). It has
> some internal zones, such as: internal.centroid.eu, petphi.centroid.eu, these
> are not zones that are on the big Internet and thus have no DNSSEC.
You could unbreak this in DNS by setting up insecure delegations
(publishing NS records without DS records) for your internal zones.
Doesn't mean that the authoritatives need to be reachable from the outside.
That would unbreak it for all your machines.
It doesn't look like you are running real split horizon DNS, you are
just being "lazy".
>
> unwind is being overly picky about this it seems. Is there a way to tell it,
> to not try to validate these internal zones?
The other way is:
force [accept bogus] type {name ...}
Force resolving of name and its subdomains by the given resolver
type. If accept bogus is specified validation is not enforced.
>
> I'm running on 6.7.
>
> Best Regards,
> -peter
>
--
I'm not entirely sure you are real.
