On Sat, Feb 19, 2022 at 07:35:43PM +0100, Why 42? The lists account. wrote:
>
> Hi All,
>
> I thought I would try running unwind on my desktop at home. Reading the
> manual page, it doesn't seem to require any specific configuration, so I
> started it via rcctl and everything seemed to work as expected e.g. it
> found the address of my router/DHCP server, resolv.conf was updated and
> DNS queries worked:
> > mjoelnir:/etc 19.02 18:21:02 # rcctl start unwind
> > unwind(ok)
>
> > mjoelnir:/etc 19.02 18:21:18 # unwindctl status
> > 1. recursor validating, N/A 3. stub resolving, N/A
> > 2. autoconf validating, N/A 4. oDoT-autoconf dead, N/A
> >
> > histograms: lifetime[ms], decaying[ms]
> > <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000
> > >
> > rec 0 0 0 0 0 0 0 0 0 0 0
> > 0
> > 0 0 0 0 0 0 0 0 0 0 0
> > 0
> > auto 0 0 0 0 0 0 0 0 0 0 0
> > 0
> > 0 0 0 0 0 0 0 0 0 0 0
> > 0
> > stub 0 0 0 0 0 0 0 0 0 0 0
> > 0
> > 0 0 0 0 0 0 0 0 0 0 0
> > 0
> > auto* 0 0 0 0 0 0 0 0 0 0 0
> > 0
> > 0 0 0 0 0 0 0 0 0 0 0
> > 0
>
> > mjoelnir:/etc 19.02 18:21:29 # unwindctl status autoconf
> > autoconfiguration forwarders:
> > DHCP[em0]: 192.168.178.254
>
> After some DNS queries ...
> > mjoelnir:/etc 19.02 18:33:02 # unwindctl status
> > 1. autoconf validating, 50ms 3. stub resolving, Inf
> > 2. recursor validating, 150ms 4. oDoT-autoconf dead, N/A
> >
> > histograms: lifetime[ms], decaying[ms]
> > <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000
> > >
> > auto 9 13 20 25 9 5 14 3 1 1 0
> > 0
> > 4 9 12 15 6 3 8 2 0 0 0
> > 0
> > rec 2 1 4 0 0 3 16 4 5 0 1
> > 1
> > 1 0 2 0 0 2 10 3 3 0 0
> > 0
> > stub 8 0 0 0 0 0 0 0 0 0 0
> > 1
> > 3 0 0 0 0 0 0 0 0 0 0
> > 0
> > auto* 0 0 0 0 0 0 0 0 0 0 0
> > 0
> > 0 0 0 0 0 0 0 0 0 0 0
> > 0
>
> However, some time later (in this test a few minutes) resolving of local
> hostnames stops working and unwind begins logging messages like these:
> > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure
> > <mjoelnir.fritz.box. A IN>: no DNSSEC records from 192.168.178.254 for DS
> > fritz.box. while building chain of trust
> > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure <mjoelnir. A
> > IN>: no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building
> > chain of trust
> > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure
> > <mjoelnir.fritz.box. A IN>: key for validation fritz.box. is marked as
> > invalid because of a previous validation failure <mjoelnir.fritz.box. A
> > IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while
> > building chain of trust
> > Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure <mjoelnir. A
> > IN>: key for validation mjoelnir. is marked as invalid because of a
> > previous validation failure <mjoelnir. A IN>: no DNSSEC records from
> > 192.168.178.254 for DS mjoelnir. while building chain of trust
> > Feb 19 18:36:30 mjoelnir unwind[72749]: validation failure
> > <www.zimagez.com.fritz.box. A IN>: key for validation fritz.box. is marked
> > as invalid because of a previous validation failure <mjoelnir.fritz.box. A
> > IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while
> > building chain of trust
> > Feb 19 18:39:07 mjoelnir unwind[72749]: validation failure
> > <mjoelnir.fritz.box. A IN>: no DNSSEC records from 192.168.178.254 for DS
> > fritz.box. while building chain of trust
> > Feb 19 18:39:59 mjoelnir unwind[72749]: validation failure <mjoelnir. A
> > IN>: no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building
> > chain of trust
> > Feb 19 18:40:38 mjoelnir unwind[72749]: validation failure <novena. A IN>:
> > no DNSSEC records from 192.168.178.254 for DS novena. while building chain
> > of trust
>
> mjoelnir is the local system, where unwind is running, and novena is
> another (linux) system on the local network. I don't know what zimagez
> is.
>
> Further validation failure messages have what appear to be incorrectly
> concatenated names for the local system e.g.
> > Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure
> > <mjoelnir.fritz.box.fritz.box. A IN>: key for validation fritz.box. is
> > marked as invalid because of a previous validation failure
> > <mjoelnir.fritz.box. A IN>: no DNSSEC records from 192.168.178.254 for DS
> > fritz.box. while building chain of trust
> > Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure
> > <mjoelnir.fritz.box.fritz.box. AAAA IN>: key for validation fritz.box. is
> > marked as invalid because of a previous validation failure
> > <mjoelnir.fritz.box. A IN>: no DNSSEC records from 192.168.178.254 for DS
> > fritz.box. while building chain of trust
>
> Why does unwind function at first and then stop working? Have I failed to
> configure it correctly? What did I miss?
>
> Why does it appear to incorrectly double append the domain name i.e.
> "...fritz.box.fritz.box."?
>
> What does "DS" mean in those messages?
>
> This is all with unwind_flags="-v" in rc.conf.local. Although this
> doesn't seem to have made unwind especially verbose. There is no
> /etc/unwind.conf file in this case (I experimented a bit with one, trying
> various options, but this behaviour was unchanged.)
What you are seeing is reports of DNSSEC validation failures. These
failures occur for your local stuff as there is no chain of trust
from the root via intermediate zones to the record.
For signed zones this chain of trust uses DS records to establish a
trust relation between parent zone (having the DS record) and child
zone (having a DNSKEY that matches the DS).
For unsigned domains there must be signed "proof" by the parent zone
(or one higher up the tree) that the zone in question is unsigned. I
your case this is also lacking.
unwind does work it just refuses to serve unvalidated records.
You can try:
forwarder ip.of.your.fritzbox
force accept bogus forwarder {
fritz.box
}
See unwind.conf for details.
As for the double fritz.box.fritz.box: a client asked for it, so
unwind tries to resolve it. The issue is with the client asking a
stupid question. Happens all the time in DNS land.
-Otto
>
> I'm running a recent snapshot:
> sysctl kern.version
> kern.version=OpenBSD 7.0-current (GENERIC.MP) #352: Wed Feb 16 01:23:21 MST
> 2022
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Cheers,
> Robb.
>
