From nobody Thu Jan 13 14:06:01 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 84706195BC59 for ; Thu, 13 Jan 2022 14:06:27 +0000 (UTC) (envelope-from 93ab.82.c37d0000c8330c.764da68fb6baf79196def57adc5ea507@email-od.com) Received: from s1-b515.socketlabs.email-od.com (s1-b515.socketlabs.email-od.com [142.0.181.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JZR763w76z4RqL for ; Thu, 13 Jan 2022 14:06:26 +0000 (UTC) (envelope-from 93ab.82.c37d0000c8330c.764da68fb6baf79196def57adc5ea507@email-od.com) DKIM-Signature: v=1; a=rsa-sha256; d=tundraware.com;s=slkey; c=relaxed/relaxed; q=dns/txt; t=1642082787; x=1644674787; h=x-tundraware-mailscanner-from:x-greylist:content-transfer-encoding:content-language:content-type:in-reply-to:mime-version:date:message-id:from:references:to:subject:x-thread-info; bh=3odlq5kiZWDsv0hGbVoGM+y5R5SkvebmqFAfqynYFe8=; b=TxDPCXca6dg/pqWK7UiVuyWfsXfn239AfvqyrmuBwsourNWSy5z5lAwH3320ulHp61hOeh2AmVHfNWcxZll0N0ptr0nJsf37KfppB1uMnLEfdrL1R7LaKiJAQI+ZQHpgxUhOP15gouckr3D0O3zJBY08ufRrJ9d0pkAuR16LtWw2tEwYecakl+lsbfcn50hYP2yNMjK2EVfmJHi6PjsFk9sqR+9Q+7tRQDA8xW/MDr17SQ2MxAb0Bl+c67bD7dhhKb1/VxQoc1PyUY6xFRJZiEJPfa9wMN2BWJoM2ycfZ443CLEJ0y1g3KicPFCO7BnnZiRxAzvzqUPDlT/9+YqbBg== DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim; c=relaxed/relaxed; q=dns/txt; t=1642082787; x=1644674787; h=x-tundraware-mailscanner-from:x-greylist:content-transfer-encoding:content-language:content-type:in-reply-to:mime-version:date:message-id:from:references:to:subject:x-thread-info; bh=3odlq5kiZWDsv0hGbVoGM+y5R5SkvebmqFAfqynYFe8=; b=wz3ON1CCFCu0ftTdo0ItwvuL9fLjOdueIlgvm3SSm3NHaGKrfN/HcHwAbTeG7vgkcUMxU1mD6Kb8YdwmWXZ4wvWgzVb7DiMGwp4HbQP3CBNmt7prKKHmx7ovtQNEccFLMBarLS6ih5nngf43fRGqvQFlXjf8tJsB3jCcW8EzcD0= X-Thread-Info: OTNhYi4xMi5jMzdkMDAwMGM4MzMwYy5mcmVlYnNkLXF1ZXN0aW9ucz1mcmVlYnNkLm9yZw== Received: from r3.us-west-2.aws.in.socketlabs.com (r3.us-west-2.aws.in.socketlabs.com [142.0.190.3]) by mxh4.email-od.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Thu, 13 Jan 2022 09:06:18 -0500 Received: from oceanview.tundraware.com (oceanview.tundraware.com [45.55.60.57]) by r3.us-west-2.aws.in.socketlabs.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Thu, 13 Jan 2022 09:06:16 -0500 Received: from [192.168.0.2] (ozzie.tundraware.com [75.145.138.73]) (authenticated bits=0) by oceanview.tundraware.com (8.16.1/8.16.1) with ESMTPSA id 20DE66Y8057798 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Thu, 13 Jan 2022 08:06:06 -0600 (CST) (envelope-from tundra@tundraware.com) Subject: Re: FreeBSD Trust Chain To: FreeBSD Mailing List References: <20220113034748.8646A34B2207@ary.qy> <76433042-3807-4d9a-fca6-7c394e602866@tundraware.com> From: Tim Daneliuk Message-ID: <48f535f9-649f-d28c-9684-a4807eef5729@tundraware.com> Date: Thu, 13 Jan 2022 08:06:01 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (oceanview.tundraware.com [45.55.60.57]); Thu, 13 Jan 2022 08:06:06 -0600 (CST) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: 20DE66Y8057798 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-2.901, required 6, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -1.90, NICE_REPLY_A -0.00) X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-Rspamd-Queue-Id: 4JZR763w76z4RqL X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tundraware.com header.s=slkey header.b=TxDPCXca; dkim=pass header.d=email-od.com header.s=dkim header.b=wz3ON1CC; dmarc=pass (policy=reject) header.from=tundraware.com; spf=pass (mx1.freebsd.org: domain of 93ab.82.c37d0000c8330c.764da68fb6baf79196def57adc5ea507@email-od.com designates 142.0.181.21 as permitted sender) smtp.mailfrom=93ab.82.c37d0000c8330c.764da68fb6baf79196def57adc5ea507@email-od.com X-Spamd-Result: default: False [-2.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[tundraware.com:s=slkey,email-od.com:s=dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tundraware.com:+,email-od.com:+]; DMARC_POLICY_ALLOW(-0.50)[tundraware.com,reject]; RCVD_IN_DNSWL_NONE(0.00)[142.0.181.21:from,142.0.190.3:received]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MLMMJ_DEST(0.00)[freebsd-questions]; FORGED_SENDER(0.30)[tundra@tundraware.com,93ab.82.c37d0000c8330c.764da68fb6baf79196def57adc5ea507@email-od.com]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:53658, ipnet:142.0.180.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[tundra@tundraware.com,93ab.82.c37d0000c8330c.764da68fb6baf79196def57adc5ea507@email-od.com]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[email-od.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 1/13/22 3:42 AM, Tomasz CEDRO wrote: > Do you use local_unbound? Some people (including me) recently noticed > resolve problems with local_unbound when using local LAN dns servers > (i.e. 192.168.0.1) on a desktop machine, when using external dns only > for local_unbound all seems to work fine, when using that local LAN > resolver directly without local_unbound also all seems to work fine. > Looks a bit similar issue somewhere out there maybe? :-) > Nope, we're not using local_unbound. The machine in question is a public facing DNS server behind a static IP on the Comcast Business network. It also acts as a nating firewall to one of our LANs. The bind instance there properly resolves queries for our zone. But when it is asked to lookup something outside our own domain, it intermittently fails to do so with no predictable pattern. Adding a forwarder - either Cloudflare's or one of our other master DNS servers not on the same network, everything resolves just fine. This configuration has been in place and working for years so we surmise that either something got broken by a recent bind update, or Comcast is doing evil things with DNS queries. -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/