Hi All,
I thought I would try running unwind on my desktop at home. Reading the
manual page, it doesn't seem to require any specific configuration, so I
started it via rcctl and everything seemed to work as expected e.g. it
found the address of my router/DHCP server, resolv.conf was updated and
DNS queries worked:
> mjoelnir:/etc 19.02 18:21:02 # rcctl start unwind
> unwind(ok)
> mjoelnir:/etc 19.02 18:21:18 # unwindctl status
> 1. recursor validating, N/A 3. stub resolving, N/A
> 2. autoconf validating, N/A 4. oDoT-autoconf dead, N/A
>
> histograms: lifetime[ms], decaying[ms]
> <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 >
> rec 0 0 0 0 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0 0 0 0 0
> auto 0 0 0 0 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0 0 0 0 0
> stub 0 0 0 0 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0 0 0 0 0
> auto* 0 0 0 0 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0 0 0 0 0
> mjoelnir:/etc 19.02 18:21:29 # unwindctl status autoconf
> autoconfiguration forwarders:
> DHCP[em0]: 192.168.178.254
After some DNS queries ...
> mjoelnir:/etc 19.02 18:33:02 # unwindctl status
> 1. autoconf validating, 50ms 3. stub resolving, Inf
> 2. recursor validating, 150ms 4. oDoT-autoconf dead, N/A
>
> histograms: lifetime[ms], decaying[ms]
> <10 <20 <40 <60 <80 <100 <200 <400 <600 <800 <1000 >
> auto 9 13 20 25 9 5 14 3 1 1 0 0
> 4 9 12 15 6 3 8 2 0 0 0 0
> rec 2 1 4 0 0 3 16 4 5 0 1 1
> 1 0 2 0 0 2 10 3 3 0 0 0
> stub 8 0 0 0 0 0 0 0 0 0 0 1
> 3 0 0 0 0 0 0 0 0 0 0 0
> auto* 0 0 0 0 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 0 0 0 0 0
However, some time later (in this test a few minutes) resolving of local
hostnames stops working and unwind begins logging messages like these:
> Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure
> <mjoelnir.fritz.box. A IN>: no DNSSEC records from 192.168.178.254 for DS
> fritz.box. while building chain of trust
> Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure <mjoelnir. A IN>:
> no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building chain
> of trust
> Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure
> <mjoelnir.fritz.box. A IN>: key for validation fritz.box. is marked as
> invalid because of a previous validation failure <mjoelnir.fritz.box. A IN>:
> no DNSSEC records from 192.168.178.254 for DS fritz.box. while building chain
> of trust
> Feb 19 18:36:12 mjoelnir unwind[72749]: validation failure <mjoelnir. A IN>:
> key for validation mjoelnir. is marked as invalid because of a previous
> validation failure <mjoelnir. A IN>: no DNSSEC records from 192.168.178.254
> for DS mjoelnir. while building chain of trust
> Feb 19 18:36:30 mjoelnir unwind[72749]: validation failure
> <www.zimagez.com.fritz.box. A IN>: key for validation fritz.box. is marked as
> invalid because of a previous validation failure <mjoelnir.fritz.box. A IN>:
> no DNSSEC records from 192.168.178.254 for DS fritz.box. while building chain
> of trust
> Feb 19 18:39:07 mjoelnir unwind[72749]: validation failure
> <mjoelnir.fritz.box. A IN>: no DNSSEC records from 192.168.178.254 for DS
> fritz.box. while building chain of trust
> Feb 19 18:39:59 mjoelnir unwind[72749]: validation failure <mjoelnir. A IN>:
> no DNSSEC records from 192.168.178.254 for DS mjoelnir. while building chain
> of trust
> Feb 19 18:40:38 mjoelnir unwind[72749]: validation failure <novena. A IN>: no
> DNSSEC records from 192.168.178.254 for DS novena. while building chain of
> trust
mjoelnir is the local system, where unwind is running, and novena is
another (linux) system on the local network. I don't know what zimagez
is.
Further validation failure messages have what appear to be incorrectly
concatenated names for the local system e.g.
> Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure
> <mjoelnir.fritz.box.fritz.box. A IN>: key for validation fritz.box. is marked
> as invalid because of a previous validation failure <mjoelnir.fritz.box. A
> IN>: no DNSSEC records from 192.168.178.254 for DS fritz.box. while building
> chain of trust
> Feb 19 18:43:47 mjoelnir unwind[72749]: validation failure
> <mjoelnir.fritz.box.fritz.box. AAAA IN>: key for validation fritz.box. is
> marked as invalid because of a previous validation failure
> <mjoelnir.fritz.box. A IN>: no DNSSEC records from 192.168.178.254 for DS
> fritz.box. while building chain of trust
Why does unwind function at first and then stop working? Have I failed to
configure it correctly? What did I miss?
Why does it appear to incorrectly double append the domain name i.e.
"...fritz.box.fritz.box."?
What does "DS" mean in those messages?
This is all with unwind_flags="-v" in rc.conf.local. Although this
doesn't seem to have made unwind especially verbose. There is no
/etc/unwind.conf file in this case (I experimented a bit with one, trying
various options, but this behaviour was unchanged.)
I'm running a recent snapshot:
sysctl kern.version
kern.version=OpenBSD 7.0-current (GENERIC.MP) #352: Wed Feb 16 01:23:21 MST 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Cheers,
Robb.
