On Mon, Feb 03, 2020 at 07:52:29PM +0100, Florian Obser wrote: > On Mon, Feb 03, 2020 at 06:16:54PM +0100, Solene Rapenne wrote: > > I re-enabled unwind today (i was using append instead of prepend in > > dhclient.conf) and I got a few issues resolving domains, often the first > > time, if I try again I get a result. I'm pretty sure it's not a bug, but > > I have no idea what's happening here, so maybe log output or > > documentation could be enhanced. > > > > > > From /var/log/messages (192.168.1.254 is dns from my dhcp) > > > > Feb 3 17:55:44 solene unwind[18044]: validation failure > > <ocsp.int-x3.letsencrypt.org. A IN>: no signatures from 192.168.1.254 for > > key org. while building chain of trust > > Feb 3 18:05:10 solene unwind[18044]: validation failure <google.fr. A IN>: > > no DNSSEC records from 192.168.1.254 for DS google.fr. while building chain > > of trust > > Feb 3 18:05:18 solene unwind[18044]: validation failure <google.it. A IN>: > > no signatures from 192.168.1.254 for DS it. while building chain of trust > > > > Looks like your dhcp nameserver strips DNSSEC in a weird way. > Can you please show > > dig @192.168.1.254 +dnssec . SOA > and > dig @192.168.1.254 org DNSKEY > > -- > I'm not entirely sure you are real. >
sure :) solene@t480 ~ $ dig @192.168.1.254 +dnssec . SOA ; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 +dnssec . SOA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN SOA ;; ANSWER SECTION: . 84857 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020020301 1800 900 604800 86400 ;; Query time: 25 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Mon Feb 03 19:54:35 CET 2020 ;; MSG SIZE rcvd: 103 solene@t480 ~ $ dig @192.168.1.254 org DNSKEY ; <<>> dig 9.10.8-P1 <<>> @192.168.1.254 org DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25574 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;org. IN DNSKEY ;; ANSWER SECTION: org. 401 IN DNSKEY 257 3 7 AwEAAcMnWBKLuvG/LwnPVykcmpvnntwxfshHlHRhlY0F3oz8AMcuF8gw 9McCw+BoC2YxWaiTpNPuxjSNhUlBtcJmcdkz3/r7PIn0oDf14ept1Y9p dPh8SbIBIWx50ZPfVRlj8oQXv2Y6yKiQik7bi3MT37zMRU2kw2oy3cgr sGAzGN4s/C6SFYon5N1Q2O4hGDbeOq538kATOy0GFELjuauV9guX/431 msYu4Rgb5lLuQ3Mx5FSIxXpI/RaAn2mhM4nEZ/5IeRPKZVGydcuLBS8G ZlxW4qbb8MgRZ8bwMg0pqWRHmhirGmJIt3UuzvN1pSFBfX7ysI9PPhSn wXCNDXk0kk0= org. 401 IN DNSKEY 256 3 7 AwEAAckRQFGzYbS2OQXpXbXyQqxq+hQ6duZa7HRI9RWfzyKh+cQHSYl2 1tqYKEvc6+9UFqf/iWnM8w2M4kQdd/hF8FdWfp7gPLzX7KYcdzR7Vgzf pQA184R+GR3T/S4wJggIi97xBO+dptwp40sTyg9ItA1adGVSs+hjRW3C uKvobENn org. 401 IN DNSKEY 256 3 7 AwEAAc2YgUjigNpgbsmzLkHyamRd31OOchY1kRkYDhPyufgiM9KiqujZ U53x9qEhq465qf6IgdKxWeYQMk+Glw49IHRx1hvdxjn6Gfjc/96uH5cv khEV38SvuDeZOzbNkJK0BvYo6Hck4lCSjJ1Wl2n1Mjguba0lEo8haWdJ MJS1D603 org. 401 IN DNSKEY 257 3 7 AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+Tz6X2fqzDC1b dq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G1GdbjQgbP1OyYIG7OHTc4hv5 T2NlyWr6k6QFz98Q4zwFIGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsU ACxlidpwB0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4hL1jI R2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnCuxkfS4AQ485KH2tp dbWcCopLJZs6tw8q3jWcpTGzdh/v3xdYfNpQNcPImFlxAun3BtORPA2r 8ti6MNoJEHU= ;; Query time: 26 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Mon Feb 03 19:54:42 CET 2020 ;; MSG SIZE rcvd: 880