What format does ub_ctx_add_ta expect?

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed Jan 20 08:18:47 UTC 2016

Hash: SHA1

Hi Riccardo,

On 01/19/2016 05:36 PM, Riccardo Spagni via Unbound-users wrote:
> BUMP:)
> On Sat, Jan 16, 2016 at 10:05 PM Riccardo Spagni <ric at spagni.net 
> <mailto:ric at spagni.net>> wrote:
> Hi all,
> We've been using ub_ctx_add_ta() in libunbound to manually include
> the root trust anchor in Monero (because there's no standard for
> storing the root trust anchor, and Windows users almost definitely
> won't have one). This worked for ages, but as of a few months ago
> the following error occurs:

The format is a DNS resource record on one line, DS or DNSKEY.

If I call ub_ctx_add_ta() with the string you have there, the root
anchor with a \n after it, it works fine.

The warning is printed if you try to load an unsupported trust anchor,
this behaviour has changed in recent releases, dealing with loading
trust anchors with unknown algorithms, to support root key rollover
schemes more thoroughly.

However, the string you give has supported algorithms.  I do not
understand either why you get this error.  Are you loading a different
string?  (for instance with an ECDSA algorithm and the user has old
OpenSSL with no ECDSA support).

Or have you compiled unbound without sha256 support?  Not even sure if
that is possible and I think that needs configure options to do it,
but then this message would appear.

Note the hard coded anchor will get you in trouble with the root key
rollover that is talked about in public forums.  You need to have some
sort of update process (f.e. using your software update).

Best regards, Wouter

> [1452966957] libunbound[15265:0] info: warning: unsupported 
> algorithm for trust anchor . DNSKEY IN [1452966957]
> libunbound[15265:0] warning: trust anchor . has no supported
> algorithms, the anchor is ignored (check if you need to upgrade
> unbound and openssl)
> We figured it would resolve itself with some future version of 
> libunbound, but as of 1.5.8 (git head) from a few weeks ago it is 
> still not working.
> This is the hard-coded anchor:
> https://github.com/monero-project/bitmonero/blob/master/src/common/dns_utils.cpp#L87
>  And this is the snippet where we add the anchor using 
> ub_ctx_add_ta():
> https://github.com/monero-project/bitmonero/blob/master/src/common/dns_utils.cpp#L229
>  Any suggestions? Is it expecting a different format for that 
> anchor? Thanks!
> Riccardo

Version: GnuPG v1


More information about the Unbound-users mailing list