Hello
Sometimes there is some domain which aren’t resolved.
Im trying to find out what is the cause and increase kresd verbosity.
Now i’m trying to understand the log. Any help regarding DS, NS, insecure and so on ?
Dec 8 09:56:12 turris kresd[24577]: [plan ][00000.00] plan 'eu-west-3.console.aws.amazon.com.' type 'A' uid [26770.00]
Dec 8 09:56:12 turris kresd[24577]: [iterat][26770.00] 'eu-west-3.console.aws.amazon.com.' type 'A' new uid was assigned .01, parent uid .00
Dec 8 09:56:12 turris kresd[24577]: [cache ][26770.01] => skipping unfit CNAME RR: rank 030, new TTL -331
Dec 8 09:56:12 turris kresd[24577]: [cache ][26770.01] => skipping unfit NS packet: rank 030, new TTL 13
Dec 8 09:56:12 turris kresd[24577]: [cache ][26770.01] => no NSEC* cached for zone: aws.amazon.com.
Dec 8 09:56:12 turris kresd[24577]: [cache ][26770.01] => skipping zone: aws.amazon.com., NSEC, hash 0;new TTL -123456789, ret -2
Dec 8 09:56:12 turris kresd[24577]: [cache ][26770.01] => skipping zone: aws.amazon.com., NSEC, hash 0;new TTL -123456789, ret -2
Dec 8 09:56:12 turris kresd[24577]: [zoncut][26770.01] found cut: aws.amazon.com. (rank 010 return codes: DS 1, DNSKEY 1)
Dec 8 09:56:12 turris kresd[24577]: [resolv][26770.01] => NS is provably without DS, going insecure
Dec 8 09:56:12 turris kresd[24577]: [select][26770.01] => id: '01758' choosing: 'ns-932.amazon.com.'@'52.16.221.207#00053' with timeout 49 ms zone cut: 'aws.amazon.com.'
Dec 8 09:56:12 turris kresd[24577]: [resolv][26770.01] => id: '01758' querying: 'ns-932.amazon.com.'@'52.16.221.207#00053' zone cut: 'aws.amazon.com.' qname: 'coNsoLe.aWs.AmazoN.cOM.' qtype: 'NS' proto: 'udp'
Dec 8 09:56:12 turris kresd[24577]: [select][26770.01] => id: '01758' updating: 'ns-932.amazon.com.'@'52.16.221.207#00053' zone cut: 'aws.amazon.com.' with rtt 28 to srtt: 29 and variance: 2
Dec 8 09:56:12 turris kresd[24577]: [iterat][26770.01] <= rcode: NXDOMAIN
Dec 8 09:56:12 turris kresd[24577]: [iterat][26770.01] <= retrying with non-minimized name
Dec 8 09:56:12 turris kresd[24577]: [cache ][26770.01] => not overwriting NS console.aws.amazon.com.
Dec 8 09:56:12 turris kresd[24577]: [iterat][26770.01] 'eu-west-3.console.aws.amazon.com.' type 'A' new uid was assigned .02, parent uid .00
Dec 8 09:56:12 turris kresd[24577]: [select][26770.02] => id: '64548' choosing: 'ns-932.amazon.com.'@'52.16.221.207#00053' with timeout 49 ms zone cut: 'us-east-1.console.aws.amazon.com.'
Dec 8 09:56:12 turris kresd[24577]: [resolv][26770.02] => id: '64548' querying: 'ns-932.amazon.com.'@'52.16.221.207#00053' zone cut: 'us-east-1.console.aws.amazon.com.' qname: 'eu-wESt-3.ConSOLe.Aws.AMaZon.cOM.' qtype: 'A' proto: 'udp'
Dec 8 09:56:12 turris kresd[24577]: [select][26770.02] => id: '64548' updating: 'ns-932.amazon.com.'@'52.16.221.207#00053' zone cut: 'us-east-1.console.aws.amazon.com.' with rtt 28 to srtt: 29 and variance: 2
Dec 8 09:56:12 turris kresd[24577]: [iterat][26770.02] <= rcode: NOERROR
Dec 8 09:56:12 turris kresd[24577]: [resolv][26770.02] AD: request NOT classified as SECURE
Dec 8 09:56:12 turris kresd[24577]: [resolv][26770.02] finished in state: 4, queries: 1, mempool: 16392 B
I’m trying to reach eu-west-3.console.aws.amazon.com and for now i have to bypass kresd to get to it.
But most disturbing is kresd who said : NOERROR !
Is it regarding DNSSec, should i update root keys ?