Being a long-time happy TO user, I noticed a strange issue with a particular website: www.cssz.cz. Web browsers say the server is not found, while other domains/websites work flawlessly.
The setup is pretty basic: TurrisOS 5.2.7 on Turris Omnia, LTE uplink (IPv4 only), NAT, clients connected mostly over Wi-Fi. DNS: kresd set to forward requests to Cloudflare (TLS), DNSSEC validation enabled. I think this is the default config, just a different remote resolver is selected in reForis.
To diagnose, I did a quick digging around – we get the correct A record, but SERVFAIL flag is present: [LOG1 link in the post below]
Enabling verbose logging with
# socat - /tmp/kresd/control/*
gives the following: [LOG2 link in the second post]
Asking Cloudflare’s resolver directly (dig @188.8.131.52 www.cssz.cz) or NIC.CZ’s resolver (dig @184.108.40.206 www.cssz.cz) succeeds. I read both use kresd internally.
Disabling DNSSEC validation in reForis DNS settings makes the problem go away, but is not a good solution.
Also making a hotspot on a mobile phone and connecting over that works well (using ISP’s resolvers - whatever they are).
I highly suspect the problem is on the other end – with cssz’s DNS/DNSSEC records (like in a few other threads on this forum). Also their TTL of just 5 seconds feels uncommon.
Some “red things” show up when entering the domain name to this DNSSEC analyzer, but I would prefer someone more knowledgable to verify if I need to fix something, or if the issue should be reported to them.
Thanks for your input!