Maintained by: NLnet Labs

[Unbound-users] DNSSEC problems

Leen Besselink
Sun Jun 10 23:07:36 CEST 2012


On Sun, Jun 10, 2012 at 11:59:38AM -0700, David Benfell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Jan-Piet,
> 
> On 06/10/12 03:58, Jan-Piet Mens wrote:
> > local-zone: 127.in-addr.arpa. nodefault
> 
> So I added this, restarted unbound, then did:
> 
> atlanta# su unbound "/usr/sbin/unbound-anchor -a /etc/unbound/root.key -v"
> atlanta# rc.d restart unbound ; tail -f /var/log/everything.log
> :: Stopping unbound daemon
> 
>                                                   [DONE]
> :: Starting unbound daemon
> 
>                                                   [DONE]
> Jun 10 11:55:47 atlanta unbound: [30792:0] info: histogram of
> recursion processing times
> Jun 10 11:55:47 atlanta unbound: [30792:0] info: [25%]=0.01536
> median[50%]=0.028672 [75%]=0.0503223
> Jun 10 11:55:47 atlanta unbound: [30792:0] info: lower(secs)
> upper(secs) recursions
> Jun 10 11:55:47 atlanta unbound: [30792:0] info:    0.008192    0.016384 6
> Jun 10 11:55:47 atlanta unbound: [30792:0] info:    0.016384    0.032768 6
> Jun 10 11:55:47 atlanta unbound: [30792:0] info:    0.032768    0.065536 7
> Jun 10 11:55:47 atlanta unbound: [30792:0] info:    0.131072    0.262144 1
> Jun 10 11:55:47 atlanta unbound: [30792:0] info:    0.262144    0.524288 1
> Jun 10 11:55:49 atlanta unbound: [30928:0] notice: init module 0:
> validator
> Jun 10 11:55:49 atlanta unbound: [30928:0] notice: init module 1: iterator
> Jun 10 11:55:49 atlanta unbound: [30928:0] info: start of service
> (unbound 1.4.17).
> Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
> anchor -- DNSKEY rrset is not secure . DNSKEY IN
> Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
> anchor -- DNSKEY rrset is not secure . DNSKEY IN
> Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
> anchor -- DNSKEY rrset is not secure . DNSKEY IN
> Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
> anchor -- DNSKEY rrset is not secure . DNSKEY IN
> Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
> anchor -- DNSKEY rrset is not secure . DNSKEY IN
> Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
> anchor -- DNSKEY rrset is not secure . DNSKEY IN
> Jun 10 11:55:49 atlanta unbound: [30928:0] info: validation failure <.
> DNSKEY IN>: no signatures from 127.0.0.1 for trust anchor . while
> building chain of trust
> 
> And it is as before.
> 
> Thanks!

Hmmm...

Could it be a firewall problem ? For example the response might be to large ?

I don't know what kind of tooling is availble on a Mac, but I think it has 'dig'.

So maybe you could try this on the commandline ?:

dig +norec +dnssec @193.0.14.129 . NS

> - -- 
> David Benfell
> benfell at parts-unknown.org
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJP1O6aAAoJELT202JKF+xpZCAQAIRSnIH3oZWkJN/4H7q8izz8
> 9HD3NAzFrU9SgJBun8J8yG7OVhE6beYIKDDK3FOvL9fVPWJTJlvmLHo7IV6h7Oro
> s0A11bZSc5SQqv8vBEJZROvtBG8+RH4lGvlXuknBizWe58rDPqfMGy6ItQRBh9Mm
> 2WeMk6z4VtjHtd5W6GHn4lXL6mfMCwf19rAdj2Tmwq0k16gBcXdufSP0E0acmLLk
> 2mqBft3Zn9N3QMyUuxJjguUGxNOBK8/VKjxpulrbxpVOdIugrnaa/mLuTFDoRyLx
> nej+lIvmfp/gJ3+cwk1Ncx/MiW9qiP91QgnFhIJLDXdIhRhaWdQEhgVqS1pMhrwh
> emUBxfjiDBKE0kj5T+3ilFOtaBmfE/dXXPdolSWGcJKVH0UzIAN7GQoGWSHVSt0N
> ZOYSvPUgVezbKqVVwJLSa+c/Q7P1eILSMz4TY5LtGtMe38Tanz1Mm1lDksFLCjd/
> 5ssjXMON5ZqreNw/UlhPvTSVYMVAjL7IbtqFs6TS0Z9++Wd0gQJFIHjjS4Mmtakz
> AzNw+w6Kiv8YObCsDi2jwyQcwNgFjP/y1ouFqy+uX9inq2xG5fZ+hSJpR4czZy4q
> FwMgE2c33rXNeG2bBrbdqNrGPEnwchqO5b7uBnbK+RdRZdQ+Jvub8Y3bJiNTT1o/
> hD6L9CQuJXHdHK7Yoy1k
> =jZvK
> -----END PGP SIGNATURE-----
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users