[Unbound-users] old unbound, DNSSEC verification broke today
Phil Pennock
unbound-users+phil at spodhuis.org
Thu Mar 7 02:12:20 UTC 2013
I have an OpenWRT router device which has unbound 1.4.5 bundled for it
and I haven't yet gotten around to getting cross-compilation going so I
can build something newer myself.
Yesterday, ICANN sent out notification of the root KSK Ceremony 12,
which took place on February 12th. Might be a factor?
When I went to bed at 5am US Eastern, DNS at home was working fine.
When I got up some hours later, there was no DNS resolution at home. I
got it working by disabling the DNSSEC verification in unbound on the
router.
If I use unbound-anchor (on a host where that's available) and
copy/paste that into the router's file, it still doesn't help.
With the trust anchor turned on, I get:
root at coal:/etc/unbound# unbound -dd
Nov 27 08:22:20 unbound[2919:0] notice: init module 0: validator
Nov 27 08:22:20 unbound[2919:0] notice: init module 1: iterator
Nov 27 08:22:20 unbound[2919:0] info: start of service (unbound 1.4.5).
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
[...]
Does anyone know what might be causing this? Algorithm change not
supported by ancient unbound, something else?
Thanks,
-Phil
More information about the Unbound-users
mailing list