On Wed, Feb 05, 2020 at 03:14:41PM GMT, Florian Obser wrote: > > I'm sure you had(!) a different issue than Solene. unwind correctly > detects that your dhcp provided nameserver can only do resolving and > strips dnssec records while the recursor can do validation. > > On December 18th I enabled a shared cache for negative answers in > rev 1.116 of resolver.c. > > As kn@ found out the hard way we cannot share a cache with a resolving > strategy that can only do resolving. > This has been fixed on January 20th with rev 1.120: > > We can not share a cache between validating and resolving strategies. > The resolving only strategies mess up the negative cache by claiming > DNSSEC related records do not exist which confuses the validating > strategies. > Found the hard way by kn@ and analysed by otto@ > OK kn@ > > Pretty sure your issue has been resolved with that (The log you are > showing is certainly from the timeframe where the issue existed). > > It's still a bit unclear what Solene's issue was, it looks like the > dhcp provided nameserver did support dnssec in the past and then > suddenly stopped. Possibly a change at the isp. unwind failed to > detect this. I have to think about what to do about it. >
Hi Florian, Correct, I *did* have that issues, indeed. Also, at the time of Solene's email I was *still* seeing a lot of "validation failure" log messages each hour due to running an older snapshot (I'm usually on top of it). I had conflated the two and had drawn the wrong conclusion so apologies for the noise. This email is just to set the record straight as well as for the list archives. A tad late as both yours and Otto's replies have been flagged as spam and I had to fish them out of there. Regards, Raf
