Hi,
hold off on this question I may have located something wrong in my
authoritative dns server that I program and maintain.
dig @yellow.centroid.eu +dnssec 2019.schweinfurtdating.de
gives a wrong answer and has nothing to do with unwind. Sorry partially
because it made me look closer, but sorry for the noise.
Regards,
-peter
On Sun, Apr 07, 2019 at 04:06:20PM +0200, Peter J. Philipp wrote:
> Hi,
>
> A few days ago I had some trouble resolving my website schweinfurtdating.de
> from home. Chrome running on OpenBSD-current from March 18th would report
> NXDOMAIN. I had to reload a few times to get the webpage, it was a weird
> experience. Since I run a very unique dns setup with TSIG'ed BIND nameservers
> at first I thought it was anywhere between application layer and those servers
> inbetween.
>
> However when I checked schweinfurtdating.de today the image refused to load
> and I found that very weird. I happen to run a log of the lookups and found
> this:
>
> Apr 7 15:30:09 yellow delphinusdnsd[9644]: request on descriptor 16
> interface "
> 2001:19f0:6c01:1fad::1" from 2003:cb:3fff:4c23:b7c7:eef2:da93:5f15 (ttl=56,
> regi
> on=8) for "2019.schweinfurtdating.de." type=(28) class=1, edns0,
> dnssecok, a
> nswering "2019.schweinfurtdating.de." (54/54)
>
> Apr 7 15:30:09 yellow delphinusdnsd[85741]: request on descriptor 3
> interface "
> 2001:19f0:6c01:1fad::1" from 2003:cb:3fff:4c23:b7c7:eef2:da93:5f15 (ttl=TCP,
> reg
> ion=8) for "2019.schweinfurtdating.de." type=(28) class=1, edns0,
> dnssecok,
> answering "2019.schweinfurtdating.de." (54/56)
>
> Apr 7 15:30:09 yellow delphinusdnsd[9644]: request on descriptor 16
> interface $
> 2001:19f0:6c01:1fad::1" from 2003:cb:3fff:4c23:b7c7:eef2:da93:5f15 (ttl=56,
> reg$
> on=8) for "de.centroid.eu." type=A(1) class=1, edns0, dnssecok, answering
> "NXDO$
> AIN"
>
> So there is a lookup right after 2019.schweinfurtdating.de from the same IP6
> that isn't even in my forwarders and my server replied with NXDOMAIN. I
> hunted through my html text to see
> where it got de.centroid.eu from and it doesn't exist. So I'm wondering if
> unwind is somehow generating the lookup for de.centroid.eu falsely and somehow
> influencing chrome? Perhaps treating a lookup as an NXDOMAIN'ed answer?
>
> My /etc/unwind.conf file looks like this:
>
> beta$ more /etc/unwind.conf
> forwarder 192.168.177.3
>
> And somehow unwind is not preferring the forwarder for some reason. Is this
> a misconfig on my end? I want it to always use 192.168.177.3, as otherwise
> the DNS travels through DTAG (telekom.de), and I don't want that. The log
> does state though it came from DTAG.
>
> Many questions in one, I'm trying to figure out what went wrong that day and
> this lookup today.
>
> Regards,
> -peter