Maintained by: NLnet Labs

Getting error messages, DNSSEC appears to be working nevertheless

W.C.A. Wijngaards
Mon Jul 24 12:54:33 CEST 2017


Hi Beeblebrox,

I think the issue is that -a adds the root.key file, but you also have
the root.key file in your unbound.conf, hence it is added twice.  You'd
need another unbound.conf file without the root.key statement for
unbound-anchor.  (unbound.conf supports include: "file" to make that
easy to maintain).

Best regards, Wouter

On 24/07/17 09:04, Beeblebrox via Unbound-users wrote:
> Hello. I have Unbound running in a FreeBSD Jail, with all required files placed in /var/unbound. /etc/rc.conf starts unbound with:
> 
> unbound_enable="YES"
> unbound_flags="-c /var/unbound/unbound.conf"
> unbound_anchorflags="-a '/var/unbound/root.key' -C /var/unbound/unbound.conf -r '/var/unbound/root.hints'"
> 
> DNSSEC is morking since "drill -D 00f.net" gives correct result.
> However, unbound.log shows below message, and I'm wondering if it could cause future problems:
> 
> libunbound[74640:0] notice: init module 0: validator
> libunbound[74640:0] error: trust anchor presented twice
> libunbound[74640:0] error: could not parse auto-trust-anchor-file /var/unbound/root.key line 2
> libunbound[74640:0] error: error reading auto-trust-anchor-file: /var/unbound/root.key
> libunbound[74640:0] error: validator: error in trustanchors config
> libunbound[74640:0] error: validator: could not apply configuration settings.
> libunbound[74640:0] error: module init for module validator failed
> unbound[75230:0] notice: init module 0: validator
> unbound[75230:0] notice: init module 1: iterator
> unbound[75230:0] info: start of service (unbound 1.6.2).
> 
> Regards.
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170724/395d7b80/attachment.sig>