On Fri, Apr 07, 2023 at 05:50:57PM +0200, p...@delphinusdns.org wrote: > >Synopsis: unwind is too noisy on sendto failures / it's misleading
/cut > This leaves just one syslog for this: > > Apr 7 17:45:43 stern unwind[28804]: check_resolver_done: bad packet: too > short: -1 > /cut I forgot to mention as I got another log about unwind on April 6th which put me on this debug effort including the filtering (to put unwind on my forwarder) etc. Apr 6 14:43:05 polarstern unwind[97893]: bad packet: too large: 65552 - pool.ntp.org. IN AAAA Apr 6 14:46:25 polarstern unwind[97893]: bad packet: too large: 65552 - pool.ntp.org.mainrechner.de. IN AAAA Unfortunately I have no more information. My flowd (I just checked) does only IPv4 and apparently IPv6 was used in both cases. (off topic but is there a way that flowd does IPv6? perhaps a misconfig on my end). Here is what I reason about these packets, they are TCP not UDP due to their size, they are over IPv6, and one of them hit one of my nameservers (for the zone mainrechner.de). Unfortunately some time ago I put in a memory log with syslog for delphinusdnsd so the log is long lost. Also I have seen an AXFR oddity to my IPv6 nameserver once. This tells me little other than if there is a MITM happening it is closer to Germany than Netherlands (where my 2nd nameserver resides at openbsd.amsterdam). Also the first bad packet could not have hit my nameservers but rather went to pool.ntp.org's nameservers. I grep'ed a little through the unwind sources and there is a 65552 magic number as a buffer size, but I don't understand the code. I just know that a very large AAAA response like that is perhaps and more probably bogus. Any thoughts? Best Regards, -peter
