> So something is odd. When unwind starts or learns about new resolvers it
> checks if they can do DNSSEC validation. It the equivalent of this:
>
> dig @192.168.1.150 +dnssec . NS
> and
> dig @192.168.1.1 +dnssec . NS
>
> and got a response it liked.
192.168.1.150 is a Samba 4 internal DNS server which I think is not
capable of dnssec yet. And I do not need it now. It is pointed to
192.168.1.1 as a forwarder.
192.168.1.1 is an unbound + nsd OpenBSD router which I did not set up to do
dnssec. It is pointed to
my provider's DNS server as a forwarder.
I do not quite understand how any of the two DNS servers pretend to give DNSSEC
information
On Пн 06 дек 2021 17:20:28, Florian Obser wrote:
> On 2021-12-06 13:49 +03, Maksim Rodin <a23s4a2...@yandex.ru> wrote:
> > Hello
> > I have the following unwind.conf:
> > ```
> > cat /etc/unwind.conf
> > fwd1=192.168.1.150
> > fwd2=192.168.1.1
> > forwarder { $fwd1 $fwd2 }
> > preference forwarder
> > ```
> > and an automatically generated resolv.conf:
> > ```
> > cat /etc/resolv.conf
> > nameserver 127.0.0.1 # resolvd: unwind
> > lookup file bind
> > ```
> > I may not understand the purpose of unwind correctly but I expect the
> > unwind to respond to DNS queries using the forwarders it is pointed to
> > in its config.
>
> That is one purpose, and you configured it do exactly that.
>
> > But when I do:
> > ```
> > nslookup dc.mydomain.ru
> > ```
> > It says:
> > ```
> > Server: 127.0.0.1
> > Address: 127.0.0.1#53
> >
> > ** server can't find dc.mydomain.ru: SERVFAIL
> > ```
> >
> > And I see in the logs the following:
> > ```
> > unwind[8550]: validation failure <dc.mydomain.ru. A IN>: no signatures from
> > 192.168.1.150 for DS ru. while building chain of trust
> > ```
> > The DNS server on 192.168.1.150 definitely knows about the host
> > dc.mydomain.ru
> >
> > When I ask that DNS server directly:
> > ```
> > nslookup dc.mydomain.ru 192.168.1.150
> > ```
> > It returns the correct answer
> >
> > So the unwind daemon seems to always query root name servers instead of my
> > two
> > servers.
> > Is that the expected behavior?
>
> It does not do that. I talks to your two servers. But it tries to do
> DNSSEC validation: "no signatures from 192.168.1.150 for DS ru."
>
> So something is odd. When unwind starts or learns about new resolvers it
> checks if they can do DNSSEC validation. It the equivalent of this:
>
> dig @192.168.1.150 +dnssec . NS
> and
> dig @192.168.1.1 +dnssec . NS
>
> and got a response it liked.
>
> $ unwindctl status
>
> probably outputs something like
>
> 1. forwarder validating
>
> So it knows the root zone is signed and your forwarders hand out DNSSEC
> information, but for some reason your forwarders do not answer to
>
> dig @192.168.1.150 +dnssec ru DS
>
> No idea why.
>
> >
> > --
> > Maksim Rodin
> >
>
> --
> I'm not entirely sure you are real.
>
--
С уважением,
Родин Максим
