Maintained by: NLnet Labs

What format does ub_ctx_add_ta expect?

W.C.A. Wijngaards
Wed Jan 20 09:18:47 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Riccardo,

On 01/19/2016 05:36 PM, Riccardo Spagni via Unbound-users wrote:
> BUMP:)
> 
> On Sat, Jan 16, 2016 at 10:05 PM Riccardo Spagni <ric at spagni.net 
> <mailto:ric at spagni.net>> wrote:
> 
> Hi all,
> 
> We've been using ub_ctx_add_ta() in libunbound to manually include
> the root trust anchor in Monero (because there's no standard for
> storing the root trust anchor, and Windows users almost definitely
> won't have one). This worked for ages, but as of a few months ago
> the following error occurs:

The format is a DNS resource record on one line, DS or DNSKEY.

If I call ub_ctx_add_ta() with the string you have there, the root
anchor with a \n after it, it works fine.

The warning is printed if you try to load an unsupported trust anchor,
this behaviour has changed in recent releases, dealing with loading
trust anchors with unknown algorithms, to support root key rollover
schemes more thoroughly.

However, the string you give has supported algorithms.  I do not
understand either why you get this error.  Are you loading a different
string?  (for instance with an ECDSA algorithm and the user has old
OpenSSL with no ECDSA support).

Or have you compiled unbound without sha256 support?  Not even sure if
that is possible and I think that needs configure options to do it,
but then this message would appear.

Note the hard coded anchor will get you in trouble with the root key
rollover that is talked about in public forums.  You need to have some
sort of update process (f.e. using your software update).

Best regards, Wouter

> 
> [1452966957] libunbound[15265:0] info: warning: unsupported 
> algorithm for trust anchor . DNSKEY IN [1452966957]
> libunbound[15265:0] warning: trust anchor . has no supported
> algorithms, the anchor is ignored (check if you need to upgrade
> unbound and openssl)
> 
> We figured it would resolve itself with some future version of 
> libunbound, but as of 1.5.8 (git head) from a few weeks ago it is 
> still not working.
> 
> This is the hard-coded anchor:
> https://github.com/monero-project/bitmonero/blob/master/src/common/dns_utils.cpp#L87
>
>  And this is the snippet where we add the anchor using 
> ub_ctx_add_ta():
> https://github.com/monero-project/bitmonero/blob/master/src/common/dns_utils.cpp#L229
>
>  Any suggestions? Is it expecting a different format for that 
> anchor? Thanks!
> 
> Riccardo
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWn0LnAAoJEJ9vHC1+BF+Nn/EP/0BQyTP/EgPMPeftcWVWBfoa
IqM2jZ4kwGWyMCv8adUM9wJhE2FLJQQp079/zGBI6Iu1h0CROGPTvmVy9gmAj9xr
0s7e/SLt3tUIKkGxZMtslX3auk3633qaKhbnTibLVi2+xkqrNyAbD2rgNqVLgPf2
PdC+m0wQ4WyJM07ri4tNIizv6FwrHJ6ZepRYSAbavDYgCe/sI9p74Bwn0vCk2R7P
IcLJ5z9zyb4rXnSNVV8PrhL+pxyltnfSpU75BevQq6emLru2IT70JCJeRwL8m9xb
ez6S6p2e6sKkqehMfiCD/41BbYJ9Qf3uwy7YNvaz36Hk98hCrszQN9PNurPZQpNv
kRy4Mr8eEZMyBnCjwRgIxVM3CdvVsLNS/q489R5Ic+WASWMjtPMSl+xwCD3Qx54z
Ym0smxoixXn2wuNETumQQdIo2s0TlsXCL92QhcWYXTqXU1BA1GXcmUE2kgCOzLSR
KHsJePwXiGlt+z7V0aC1rrWsmQ1XS4Xt1MHueCO8iGo053rDPr3hH763KlBoT0s+
ibPbLDJckX94BGOnCXszPAwlDHqiwToSIoFqiWyeA9aXAXP9icf1Gdip+QDYFpqw
PK+kWQOaAsnWk30aiqBkARZls40rFv+7eMFO2gHcyQCfhN0G7E2efIXx9Q68TC2+
32A5F/g64tKZXHxoGTGt
=Ysk+
-----END PGP SIGNATURE-----