Maintained by: NLnet Labs

[Unbound-users] DNSSEC problems

David Benfell
Sun Jun 10 08:26:42 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I'm trying again to convince my unbound to do DNSSEC. I'm not seeing
what I'm doing wrong. Here's a log snippet that covers the messages
I'm seeing as problematic:

Jun  9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun  9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun  9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun  9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun  9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun  9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun  9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<122.154.73.94.in-addr.arpa. PTR IN>: no signatures from 127.0.0.1 for
trust anchor . while building chain of trust
Jun  9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<94-73-154-122.cizgi.net.tr. A IN>: key for validation . is marked as
invalid because of a previous validation failure
<122.154.73.94.in-addr.arpa. PTR IN>: no signatures from 127.0.0.1 for
trust anchor . while building chain of trust
Jun  9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<94-73-154-122.cizgi.net.tr.members.linode.com. A IN>: key for
validation . is marked as invalid because of a previous validation
failure <122.154.73.94.in-addr.arpa. PTR IN>: no signatures from
127.0.0.1 for trust anchor . while building chain of trust

The configuration:

atlanta# egrep -v "^[[:cntrl:] ]*[#;]|^$" /etc/unbound/unbound.conf
server:
	verbosity: 1
	extended-statistics: yes
	interface: 10.8.0.1
	do-ip4: yes
	do-ip6: yes
	do-udp: yes
	do-tcp: yes
	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: 10.8.0.0/16 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow
	chroot: ""
	harden-referral-path: yes
	use-caps-for-id: yes
	private-address: 10.0.0.0/8
	private-address: 172.16.0.0/12
	private-address: 192.168.0.0/16
	private-address: 192.254.0.0/16
	private-address: fd00::/8
	private-address: fe80::/10
	do-not-query-localhost: no
	prefetch: yes
	prefetch-key: yes
	
	auto-trust-anchor-file: "/etc/unbound/root.key"
	val-log-level: 2
	
        local-zone: "parts-unknown.org." static
        local-data: "parts-unknown.org. IN A 74.207.225.79"
        local-data: "parts-unknown.org. IN MX 10 parts-unknown.org."
        local-data: "atlanta.parts-unknown.org. IN A 10.8.0.1"
        local-data: "mail.parts-unknown.org. IN A 10.8.0.1"
        local-data: "graton.parts-unknown.org. IN A 10.8.0.10"
	local-data: "graton.parts-unknown.org. IN MX 20 parts-unknown.org."
	local-data: "graton.parts-unknown.org. IN MX 10
graton.parts-unknown.org."
        local-data: "n4rky.parts-unknown.org. IN A 10.8.0.22"
        local-data: "notary.parts-unknown.org. IN A 10.8.0.1"
        local-data: "www.parts-unknown.org. IN A 74.207.225.79"
	local-data: "s.parts-unknown.org. IN A 74.207.225.79"
        local-zone: "cybernude.org." static
        local-data: "cybernude.org. IN A 173.230.137.73"
        local-data: "cybernude.org. IN MX 10 parts-unknown.org."
        local-data: "atlanta.cybernude.org. IN A 10.8.0.1"
        local-data: "graton.cybernude.org. IN A 10.8.0.10"
	local-data: "graton.cybernude.org. IN MX 20 parts-unknown.org."
	local-data: "graton.cybernude.org. IN MX 10 graton.parts-unknown.org."
        local-data: "n4rky.cybernude.org. IN A 10.8.0.22"
        local-data: "www.cybernude.org. IN A 10.8.0.10"
	local-data: "s.cybernude.org. IN A 173.230.137.73"
        local-zone: "disunitedstates.com." static
        local-data: "disunitedstates.com. IN A 173.230.137.73"
        local-data: "disunitedstates.com. IN MX 10 parts-unknown.org."
        local-data: "atlanta.disunitedstates.com. IN A 10.8.0.1"
        local-data: "graton.disunitedstates.com. IN A 10.8.0.10"
	local-data: "graton.disunitedstates.com. IN MX 10
graton.parts-unknown.org."
        local-data: "graton.disunitedstates.com. IN MX 20
parts-unknown.org."
        local-data: "n4rky.disunitedstates.com. IN A 10.8.0.22"
        local-data: "www.disunitedstates.com. IN A 173.230.137.73"
        local-data: "www.joomla.disunitedstates.com. IN A 173.230.137.73"
	local-data: "s.disunitedstates.com. IN A 173.230.137.73"
        local-zone: "disunitedstates.org." static
        local-data: "disunitedstates.org. IN A 173.230.137.76"
        local-data: "disunitedstates.org. IN MX 10 parts-unknown.org."
        local-data: "atlanta.disunitedstates.org. IN A 10.8.0.1"
        local-data: "graton.disunitedstates.org. IN A 10.8.0.10"
        local-data: "graton.disunitedstates.org. IN MX 20
parts-unknown.org."
        local-data: "graton.disunitedstates.org. IN MX 10
graton.parts-unknown.org."
        local-data: "n4rky.disunitedstates.org. IN A 10.8.0.22"
        local-data: "www.disunitedstates.org. IN A 173.230.137.76"
	local-data: "s.disunitedstates.org. IN A 173.230.137.76"
        local-zone: "n4rky.me." static
        local-data: "n4rky.me. IN A 173.230.137.73"
        local-data: "n4rky.me. IN MX 10 parts-unknown.org."
        local-data: "atlanta.n4rky.me. IN A 10.8.0.1"
        local-data: "graton.n4rky.me. IN A 10.8.0.10"
        local-data: "n4rky.n4rky.me. IN A 10.8.0.22"
        local-data: "www.n4rky.me. IN A 173.230.137.73"
	local-data: "s.n4rky.me. IN A 173.230.137.73"
	local-data-ptr: "10.8.0.1 atlanta.parts-unknown.org"
	local-data-ptr: "10.8.0.10 graton.parts-unknown.org"
	local-data-ptr: "10.8.0.22 n4rky.parts-unknown.org"
python:
remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
forward-zone:
  name: "."
  forward-addr: 127.0.0.1 at 53

The current contents of root-key (sorry for line breaks):

atlanta# cat /etc/unbound/root.key
. IN DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

I went over this item for item. As near as I can tell it is a correct
initial value.

I run su unbound "/usr/sbin/unbound-anchor -a /etc/unbound/root.key"
but it has no effect:

atlanta# ls -al /etc/unbound/root.key
- -rw-r--r-- 1 unbound unbound 83 Jun  9 17:39 /etc/unbound/root.key

This unbound is intended to serve not only my server but an openvpn,
hence all the references to 10.8.0.x and the availability of 127.0.0.1
port 53 for dnscrypt-proxy:

atlanta# lsof -n | grep domain
unbound    3180        unbound    3u     IPv4           12285662
  0t0        UDP 10.8.0.1:domain
unbound    3180        unbound    4u     IPv4           12285663
  0t0        TCP 10.8.0.1:domain (LISTEN)
lua        4086        prosody   23u     IPv4            2057523
  0t0        UDP 173.230.137.73:35155->75.127.97.6:domain
dnscrypt- 30415         nobody    6u     IPv4           12252389
  0t0        TCP 127.0.0.1:domain (LISTEN)
dnscrypt- 30415         nobody    7u     IPv4           12252390
  0t0        UDP 127.0.0.1:domain

What else should I tell you?

Thanks!
- -- 
David Benfell
benfell at parts-unknown.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP1D4iAAoJELT202JKF+xpmyIP/2G9ltzU9xPI9UWicGB036vq
2sDy0ylmPAYR9nYPQXHCe/yEjJdeL9BoRgNp3e4Apq8XI/6+8grwftdG/8r8lefN
ZGpUFoh39ZsFNJkduUfmkQJI1SXj9K20l+H4gNQkud//UJBH0ktUv2Y9ASjbxHVh
5z8TJz2ZrD1aqEEY/N92wFAtujbjL4ZKRulMfLld0ATHyMsl9OMRuGM7/MJg7pSC
nWouijN3oKKXQplj4ySTPx/s/uUSlOJuVZRCku/rFxRUgN6HpC3vu1v9D60EoZHS
9puMnts9Z4aoGlIcbkXeTOS7Hthp8OF37sXvGEt2d3GpYYGZCnmnHcyVCQamwlGu
8M2ZMKe5afsnhF46vJdw7WmC6oNMjUWhGZNGkQiXvJxgdJFobWkibj3e4juIwuPV
iC/FnR0zzG2YqZ+uYm3wSiS51bJ+C8DitMJDmG6EH/pQ+hwIhccBbWoKsM+GvgUs
+yKwANL0xVv77B3XVm58NAYAWsciOy/jIJpfjYHMz0URO50UNeL8B+qlAYwIP1rW
OF4SEWQlvgzXyO5Pu2yyId00uRmS42lVgnk5nqJYmkKKq0kB9fFGn01tpFavFsxn
GBv0R1kiPcnnft3RqkUzHw5Xom0sVZVZl6yoRPH6JYPPBaCJfvhKsB0+VMs2azTS
awnVNQ4q9TkzUMym49kZ
=yx0n
-----END PGP SIGNATURE-----