I have troubles resolving www.horizon.tv using default kresd.
I have forwarding to provider set on. I have tried forward to cz-nic and not forward at all, but seems kresd can’t resolve.
When using dsnsmasq, resolving works.
I have TOS 5.0.3. Does anyone have problem with this or other versions?
FYI, packet capture shows:
39 20.635527 00:21:85:1c:1a:0d 192.168.x.y 45036 192.168.x.1 53 DNS Standard query 0xb9e1 A www.horizon.tv OPT
40 20.635527 00:21:85:1c:1a:0d 192.168.x.y 45036 192.168.x.1 53 DNS Standard query 0xb9e1 A www.horizon.tv OPT
41 20.636040 a.b.c.d 38492 195.28.64.99 53 DNS Standard query 0xb79d DS hOrIzON.tV OPT
42 20.638302 195.28.64.99 53 a.b.c.d 38492 DNS Standard query response 0xb79d DS hOrIzON.tV SOA ac1.nstld.com RRSIG RRSIG NSEC3 RRSIG NSEC3 OPT
43 20.638702 04:f0:21:31:85:47 192.168.x.1 53 192.168.x.y 45036 DNS Standard query response 0xb9e1 Server failure A www.horizon.tv OPT
44 20.638711 04:f0:21:31:85:47 192.168.x.1 53 192.168.x.y 45036 DNS Standard query response 0xb9e1 Server failure A www.horizon.tv OPT
45 20.638714 04:f0:21:31:85:47 192.168.x.1 53 192.168.x.y 45036 DNS Standard query response 0xb9e1 Server failure A www.horizon.tv OPT
I tried many attempts in various modes but I’m unable to reproduce any problem (Omnia + 5.0.3). From your capture it seems that the packet 42 from your ISP’s resolver contained something that kresd doesn’t like, e.g. incorrect DNSSEC proof, but it seems hard to see what’s happening or to assign blame to any side until we have more information.
Right. The usual way is tech.support@turris.cz, as the huge logs might contain something sensitive. It would probably be enough to just cut the short moment of processing the failing request (and easier to check that it can be posted publicly), but you may not want to bother with that.
In the sent logs kresd never even gets to sending the packets above.
[plan] plan 'tv.' type 'DNSKEY' uid [06001.06]
[iter] 'tv.' type 'DNSKEY' new uid was assigned .07, parent uid .05
[hint] <= answered from hints
Someone apparently defined address(es) for name tv. which by default clears everything on that name, including DNSKEY tv. There are reasons why DHCP names are nested under lan. by default.
OK, even lan. isn’t really officially reserved, but we would most likely know in advance if ICANN was about to delegate it.
Yes, most likely triggered by fixing one bug in our behavior. If this is important, this particular problem should get worked around by one kresd config line