--- Begin Message ---
> On 20201030, at 02:21, Phil Pennock <[email protected]> wrote:
>
> On 2020-10-29 at 21:17 +0100, Jeroen Massar wrote:
>> I can only first suggest starting to use 'dig', as then it also shows you
>> which is the server that is answering you and it is using TCP or not, just
>> in case a random one is chosen from some config snippet.
>
> Yes, I used that, the host output was shorter to paste into an email.
> systemd-resolved is on 127.0.0.53 as a host-local resolver, so the
> details of transport to it are pretty irrelevant: this is systemd
> rejecting answers which two other implementations of validating
> resolvers, on the local network, accept just fine.
If you are sure the answers come from there always, then indeed, it does not
matter too much.
Though, your box still needs to talk to the network and the network might
intercept things, lots of fun with AAAA records being just dropped by
intermediate boxes, thus DNSSEC signatures can be even more fun.
(For that matter hilarious that they are introducing HTTPS records now... they
will run into the same issue, but possibly many boxes have been swapped out
since, or resolving just centralized by the big corporations)
With dig you can ask for +dnssec and see more details from there.
It looks like you might have to run a tcpdump in the background, fortunately
most uses of DNS are not encrypted (at least for the debugging case).
But likely it is just a cornercase that systemd does not handle properly.
>> Note that upstream servers, NAT/firewall/router boxes can interfere with DNS
>> and cause weird/unknown results too.
>
> Thank you, but in this case the unbound/knot-resolver servers are the
> upstream/forwarding servers, the knot being on the router itself, which
> is a quite capable unit, not random cheap home junk.
>
> This is specifically systemd-resolved rejecting entries which other
> validating resolvers decide validates.
>
> Works with:
> Unbound: "Version 1.12.0", OpenSSL 1.1.1h
> "Knot Resolver, version 5.1.2"
Strace and otherwise turning up the debugging settings for resolved if it has
any.
But likely you will just end up in systemd-fight land...
Simplicity (KISS) and debuggability is so overrated by all the many usecases
that exist :(
But hey, keeps a lot of consultants in a job: write crap software earn lots of
moneyz fixing the broken things...
Greets,
Jeroen
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
