Hello, I often have to deal with unwind refusing to serve dns queries. When it happens I see an entry like this in the daemon log:
"May 6 13:15:22 main unwind[42415]: validation failure <mangolassi.it. A IN>: key for validation mangolassi.it. is marked as invalid because of a previous no DNSSEC records" Reading misc archives I came to the following solution: https://marc.info/?l=openbsd-misc&m=164534272713803&w=2 "force accept bogus forwarder { fritz.box }" After I was tired of adding every single domain to my unwind.conf every time unwind was refusing to serve a query I began to add entries like this: ... force accept bogus autoconf { co } force accept bogus autoconf { be } force accept bogus autoconf { org } ... This solution helps longer... till I get to the site with a new tld which is still not listed in my config like the previous entries. One more interesting thing is: the new site might work well for weeks and then suddenly stop working with the same message in the log. Is there a better way to deal with name resolution using unwind? The most irritating thing is that when a site is partially working (it might be fetching many additional resources from other hosts) I have hard time to understand if it is the problem with the site or it is a problem with name resolution on my desktop. Here is my whole config. The forwarders are used when I connect to VPN to query internal resources by their internal IP: fwd1=10.24.2.11 fwd2=10.24.2.101 forwarder { $fwd1 $fwd2 } preference { autoconf forwarder } force accept bogus forwarder { internal_domain1 } force accept bogus forwarder { internal_domain2 } force accept bogus autoconf { co } force accept bogus autoconf { be } force accept bogus autoconf { org } force accept bogus autoconf { by } force accept bogus autoconf { ru } force accept bogus autoconf { com } force accept bogus autoconf { net } force accept bogus autoconf { nu } force accept bogus autoconf { io } force accept bogus autoconf { no } force accept bogus autoconf { cafe } force accept bogus autoconf { cc } force accept bogus autoconf { wiki } force accept bogus autoconf { us } force accept bogus autoconf { es } force accept bogus autoconf { market } force accept bogus autoconf { cloud } force accept bogus autoconf { got } force accept bogus autoconf { ca } force accept bogus autoconf { club } force accept bogus autoconf { site } force accept bogus autoconf { fans } force accept bogus autoconf { one } force accept bogus autoconf { gift } force accept bogus autoconf { xyz } force accept bogus autoconf { dev } force accept bogus autoconf { cz } force accept bogus autoconf { eu } -- Best regards Maksim Rodin
