On Tue, Sep 28, 2021, at 11:22, Brian Brombacher wrote:
>> On Sep 27, 2021, at 8:52 PM, abyx...@mnetic.ch wrote:
>>
>> Hello, trying to set up unwind with nsd on the same machine serving a
>> internal domain (home.arpa) with all my machines being part of that domain,
>> eg router.home.arpa. If I point dig at my nsd instance (dig @127.0.0.1 -p
>> 10053 router.home.arpa. A) I see my subdomains in the zone all being
>> returned (router.home.arpa. -> 10.0.0.1). If I set nsd as a forwarder in
>> unwind.conf (forwarder 127.0.0.1 port 10053) though, things get weird. My
>> ISP doesn't return any results for home.arpa but some other servers (quad9
>> and cloudfare?) return a blackhole address pointing to prisoner.iana.org. If
>> I limit unwind to preference {forwarder recursor} I now get my local nsd
>> results for my domains as expected. If I comment out the preference line,
>> unwind eventually learns a server that will answer to home.arpa with the
>> blackhole prisoner.iana.org address (at least a minute in, sometimes longer,
>> makes testing difficult). The use of force forwarder {home.arpa} and force
>> accept bogus forwarder {home.arpa} don't appear to have any effect at all.
>> (Full configs and dmesg below).
>>
>> I dug through the code a bit, if I'm following it correctly in
>> sbin/unwind/resolver.c:check_resolver_done, nsd seems to be returning a
>> SERVFAIL and being marked dead (as confirmed with unwindctl status. I am not
>> sure I followed the code correctly at this point, but being set to DEAD
>> and/or returning a SERVFAIL seems to preempt the use of force accept bogus.
>> I am not sure what test unwind/libunbound are doing to check the health
>> status of the different resolvers but I have yet to see my nsd forwarder not
>> marked as "dead" in unwindctl status. Any ideas on how to debug this? This
>> happens on both 6.9 and -current. The -current dmesg is posted below.
>>
>>
>>
>> ---
>> router# cat /etc/unwind.conf
>>
>> forwarder {
>> 127.0.0.1 port 10053
>> }
>>
>> force accept bogus forwarder { home.arpa }
>> #force autoconf { home.arpa }
>> preference { forwarder recursor }
>
> Shouldn’t this be:
>
> preference { recursor forwarder }
>
> The force forwarder is good enough for home.arpa to “prefer” (force)
> the use of the forwarder.
>
> This way your recursor will find results via the internet while
> home.arpa will go to NSD.
>
> I have not tested this, and I use unbound as others have described to
> forward local domains to my NSD.
The necessity of this ordering is brought about by NSD being marked as a
"DEAD" resolver. Overriding the ordering via the preference tag of course
brings about it's own problems.
