Maintained by: NLnet Labs

[Unbound-users] old unbound, DNSSEC verification broke today

Phil Pennock
Thu Mar 7 03:12:20 CET 2013


I have an OpenWRT router device which has unbound 1.4.5 bundled for it
and I haven't yet gotten around to getting cross-compilation going so I
can build something newer myself.

Yesterday, ICANN sent out notification of the root KSK Ceremony 12,
which took place on February 12th.  Might be a factor?

When I went to bed at 5am US Eastern, DNS at home was working fine.
When I got up some hours later, there was no DNS resolution at home.  I
got it working by disabling the DNSSEC verification in unbound on the
router.

If I use unbound-anchor (on a host where that's available) and
copy/paste that into the router's file, it still doesn't help.

With the trust anchor turned on, I get:

root at coal:/etc/unbound# unbound -dd
Nov 27 08:22:20 unbound[2919:0] notice: init module 0: validator
Nov 27 08:22:20 unbound[2919:0] notice: init module 1: iterator
Nov 27 08:22:20 unbound[2919:0] info: start of service (unbound 1.4.5).
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
[...]

Does anyone know what might be causing this?  Algorithm change not
supported by ancient unbound, something else?

Thanks,
-Phil