After installing a new firewall layout, firefox told me my own webpages were “deceptive sites” with an unknown certificate, and showed the -perfectly valid- certificate that they have.
Then in the DNS logs I found frequent errors that the hostname of the OCSP verifier site could not be resolved.
Also, DNS server would be rather slow.
Further analysis showed, all IPv6 queries would not work and go into timeout, until the named falls back to IPv4 - which explains the 3-4 seconds delay (often more).
Packet sniffing then showed that the requests would actually well go out to the DNS root servers - only, no reply would ever come back. Hardly believable, and certainly not a flaw in the firewall config, but something else.
Finally I figured that suricata is the culprit: it appears to damage the outgoing DNS request packets in a way so that they cannot be answered anymore. And it does so in stealthy way, not reporting into a log.
Packet before suricata:
IP6 (hlim 64, next-header UDP (17) payload length: 52) 2003:e7:17ff:1d56:41d:92ff:fe01:301.10169 > 2001:500:200::b.53: [udp sum ok]
Packet after suricata:
IP6 (hlim 64, next-header UDP (17) payload length: 52) 2003:e7:17ff:1d56:41d:92ff:fe01:301.59568 > 2001:500:200::b.53: [bad udp cksum 0x15b0 → 0x6c71!]
How can this be fixed?