[Unbound-users] DNSSEC problems
David Benfell
benfell at parts-unknown.org
Sun Jun 10 06:26:42 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I'm trying again to convince my unbound to do DNSSEC. I'm not seeing
what I'm doing wrong. Here's a log snippet that covers the messages
I'm seeing as problematic:
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<122.154.73.94.in-addr.arpa. PTR IN>: no signatures from 127.0.0.1 for
trust anchor . while building chain of trust
Jun 9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<94-73-154-122.cizgi.net.tr. A IN>: key for validation . is marked as
invalid because of a previous validation failure
<122.154.73.94.in-addr.arpa. PTR IN>: no signatures from 127.0.0.1 for
trust anchor . while building chain of trust
Jun 9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<94-73-154-122.cizgi.net.tr.members.linode.com. A IN>: key for
validation . is marked as invalid because of a previous validation
failure <122.154.73.94.in-addr.arpa. PTR IN>: no signatures from
127.0.0.1 for trust anchor . while building chain of trust
The configuration:
atlanta# egrep -v "^[[:cntrl:] ]*[#;]|^$" /etc/unbound/unbound.conf
server:
verbosity: 1
extended-statistics: yes
interface: 10.8.0.1
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.8.0.0/16 allow
access-control: ::0/0 refuse
access-control: ::1 allow
chroot: ""
harden-referral-path: yes
use-caps-for-id: yes
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
auto-trust-anchor-file: "/etc/unbound/root.key"
val-log-level: 2
local-zone: "parts-unknown.org." static
local-data: "parts-unknown.org. IN A 74.207.225.79"
local-data: "parts-unknown.org. IN MX 10 parts-unknown.org."
local-data: "atlanta.parts-unknown.org. IN A 10.8.0.1"
local-data: "mail.parts-unknown.org. IN A 10.8.0.1"
local-data: "graton.parts-unknown.org. IN A 10.8.0.10"
local-data: "graton.parts-unknown.org. IN MX 20 parts-unknown.org."
local-data: "graton.parts-unknown.org. IN MX 10
graton.parts-unknown.org."
local-data: "n4rky.parts-unknown.org. IN A 10.8.0.22"
local-data: "notary.parts-unknown.org. IN A 10.8.0.1"
local-data: "www.parts-unknown.org. IN A 74.207.225.79"
local-data: "s.parts-unknown.org. IN A 74.207.225.79"
local-zone: "cybernude.org." static
local-data: "cybernude.org. IN A 173.230.137.73"
local-data: "cybernude.org. IN MX 10 parts-unknown.org."
local-data: "atlanta.cybernude.org. IN A 10.8.0.1"
local-data: "graton.cybernude.org. IN A 10.8.0.10"
local-data: "graton.cybernude.org. IN MX 20 parts-unknown.org."
local-data: "graton.cybernude.org. IN MX 10 graton.parts-unknown.org."
local-data: "n4rky.cybernude.org. IN A 10.8.0.22"
local-data: "www.cybernude.org. IN A 10.8.0.10"
local-data: "s.cybernude.org. IN A 173.230.137.73"
local-zone: "disunitedstates.com." static
local-data: "disunitedstates.com. IN A 173.230.137.73"
local-data: "disunitedstates.com. IN MX 10 parts-unknown.org."
local-data: "atlanta.disunitedstates.com. IN A 10.8.0.1"
local-data: "graton.disunitedstates.com. IN A 10.8.0.10"
local-data: "graton.disunitedstates.com. IN MX 10
graton.parts-unknown.org."
local-data: "graton.disunitedstates.com. IN MX 20
parts-unknown.org."
local-data: "n4rky.disunitedstates.com. IN A 10.8.0.22"
local-data: "www.disunitedstates.com. IN A 173.230.137.73"
local-data: "www.joomla.disunitedstates.com. IN A 173.230.137.73"
local-data: "s.disunitedstates.com. IN A 173.230.137.73"
local-zone: "disunitedstates.org." static
local-data: "disunitedstates.org. IN A 173.230.137.76"
local-data: "disunitedstates.org. IN MX 10 parts-unknown.org."
local-data: "atlanta.disunitedstates.org. IN A 10.8.0.1"
local-data: "graton.disunitedstates.org. IN A 10.8.0.10"
local-data: "graton.disunitedstates.org. IN MX 20
parts-unknown.org."
local-data: "graton.disunitedstates.org. IN MX 10
graton.parts-unknown.org."
local-data: "n4rky.disunitedstates.org. IN A 10.8.0.22"
local-data: "www.disunitedstates.org. IN A 173.230.137.76"
local-data: "s.disunitedstates.org. IN A 173.230.137.76"
local-zone: "n4rky.me." static
local-data: "n4rky.me. IN A 173.230.137.73"
local-data: "n4rky.me. IN MX 10 parts-unknown.org."
local-data: "atlanta.n4rky.me. IN A 10.8.0.1"
local-data: "graton.n4rky.me. IN A 10.8.0.10"
local-data: "n4rky.n4rky.me. IN A 10.8.0.22"
local-data: "www.n4rky.me. IN A 173.230.137.73"
local-data: "s.n4rky.me. IN A 173.230.137.73"
local-data-ptr: "10.8.0.1 atlanta.parts-unknown.org"
local-data-ptr: "10.8.0.10 graton.parts-unknown.org"
local-data-ptr: "10.8.0.22 n4rky.parts-unknown.org"
python:
remote-control:
control-enable: yes
control-interface: 127.0.0.1
forward-zone:
name: "."
forward-addr: 127.0.0.1 at 53
The current contents of root-key (sorry for line breaks):
atlanta# cat /etc/unbound/root.key
. IN DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
I went over this item for item. As near as I can tell it is a correct
initial value.
I run su unbound "/usr/sbin/unbound-anchor -a /etc/unbound/root.key"
but it has no effect:
atlanta# ls -al /etc/unbound/root.key
- -rw-r--r-- 1 unbound unbound 83 Jun 9 17:39 /etc/unbound/root.key
This unbound is intended to serve not only my server but an openvpn,
hence all the references to 10.8.0.x and the availability of 127.0.0.1
port 53 for dnscrypt-proxy:
atlanta# lsof -n | grep domain
unbound 3180 unbound 3u IPv4 12285662
0t0 UDP 10.8.0.1:domain
unbound 3180 unbound 4u IPv4 12285663
0t0 TCP 10.8.0.1:domain (LISTEN)
lua 4086 prosody 23u IPv4 2057523
0t0 UDP 173.230.137.73:35155->75.127.97.6:domain
dnscrypt- 30415 nobody 6u IPv4 12252389
0t0 TCP 127.0.0.1:domain (LISTEN)
dnscrypt- 30415 nobody 7u IPv4 12252390
0t0 UDP 127.0.0.1:domain
What else should I tell you?
Thanks!
- --
David Benfell
benfell at parts-unknown.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJP1D4iAAoJELT202JKF+xpmyIP/2G9ltzU9xPI9UWicGB036vq
2sDy0ylmPAYR9nYPQXHCe/yEjJdeL9BoRgNp3e4Apq8XI/6+8grwftdG/8r8lefN
ZGpUFoh39ZsFNJkduUfmkQJI1SXj9K20l+H4gNQkud//UJBH0ktUv2Y9ASjbxHVh
5z8TJz2ZrD1aqEEY/N92wFAtujbjL4ZKRulMfLld0ATHyMsl9OMRuGM7/MJg7pSC
nWouijN3oKKXQplj4ySTPx/s/uUSlOJuVZRCku/rFxRUgN6HpC3vu1v9D60EoZHS
9puMnts9Z4aoGlIcbkXeTOS7Hthp8OF37sXvGEt2d3GpYYGZCnmnHcyVCQamwlGu
8M2ZMKe5afsnhF46vJdw7WmC6oNMjUWhGZNGkQiXvJxgdJFobWkibj3e4juIwuPV
iC/FnR0zzG2YqZ+uYm3wSiS51bJ+C8DitMJDmG6EH/pQ+hwIhccBbWoKsM+GvgUs
+yKwANL0xVv77B3XVm58NAYAWsciOy/jIJpfjYHMz0URO50UNeL8B+qlAYwIP1rW
OF4SEWQlvgzXyO5Pu2yyId00uRmS42lVgnk5nqJYmkKKq0kB9fFGn01tpFavFsxn
GBv0R1kiPcnnft3RqkUzHw5Xom0sVZVZl6yoRPH6JYPPBaCJfvhKsB0+VMs2azTS
awnVNQ4q9TkzUMym49kZ
=yx0n
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list