On 2021-12-06 13:49 +03, Maksim Rodin <a23s4a2...@yandex.ru> wrote: > Hello > I have the following unwind.conf: > ``` > cat /etc/unwind.conf > fwd1=192.168.1.150 > fwd2=192.168.1.1 > forwarder { $fwd1 $fwd2 } > preference forwarder > ``` > and an automatically generated resolv.conf: > ``` > cat /etc/resolv.conf > nameserver 127.0.0.1 # resolvd: unwind > lookup file bind > ``` > I may not understand the purpose of unwind correctly but I expect the > unwind to respond to DNS queries using the forwarders it is pointed to > in its config.
That is one purpose, and you configured it do exactly that. > But when I do: > ``` > nslookup dc.mydomain.ru > ``` > It says: > ``` > Server: 127.0.0.1 > Address: 127.0.0.1#53 > > ** server can't find dc.mydomain.ru: SERVFAIL > ``` > > And I see in the logs the following: > ``` > unwind[8550]: validation failure <dc.mydomain.ru. A IN>: no signatures from > 192.168.1.150 for DS ru. while building chain of trust > ``` > The DNS server on 192.168.1.150 definitely knows about the host > dc.mydomain.ru > > When I ask that DNS server directly: > ``` > nslookup dc.mydomain.ru 192.168.1.150 > ``` > It returns the correct answer > > So the unwind daemon seems to always query root name servers instead of my two > servers. > Is that the expected behavior? It does not do that. I talks to your two servers. But it tries to do DNSSEC validation: "no signatures from 192.168.1.150 for DS ru." So something is odd. When unwind starts or learns about new resolvers it checks if they can do DNSSEC validation. It the equivalent of this: dig @192.168.1.150 +dnssec . NS and dig @192.168.1.1 +dnssec . NS and got a response it liked. $ unwindctl status probably outputs something like 1. forwarder validating So it knows the root zone is signed and your forwarders hand out DNSSEC information, but for some reason your forwarders do not answer to dig @192.168.1.150 +dnssec ru DS No idea why. > > -- > Maksim Rodin > -- I'm not entirely sure you are real.