DNSSEC and root.key problem

g1pi at libero.it g1pi at libero.it
Tue Apr 7 15:52:49 UTC 2020


As far as I can tell, Unbound is able to read a root.key file containing
exactly one DS, refetch the key, check the hash against the DS and --- if
successful --- rewrite the root.key file with the full DNSKEY.

According to https://www.icann.org/dns-resolvers-updating-latest-trust-anchor,
19036 is the tag for KSK2010, while 20326 is the tag for KSK2017.
The KSK for "." was replaced some time ago... I guess 2017 :-)

I suggest that you
- check the clock on your Pi (I vaguely remember another thread about
  the problem of bootstrapping NTP on systems without a battery-backed RTC)
- stop unbound, remove the line with tag 19036 from the file, restart unbound

As far as I know, root.hints and root.key are independent: the former
tells which nameservers are _likely_ authoritative for the root zone
(i.e. where to start recursion), the latter permits to validate the
response of any of them.


On Tue, Apr 07, 2020 at 04:29:19PM +0200, Andy via Unbound-users wrote:
> Hi!
> My unbound stopped working. I think I could track it down to the file root.key and DNSSEC. Unfortunately I can't figure out how to make it work again. :/
> 1) My system
> unbound 1.9.0 with pihole on a Raspberry Pi. My unbound uses hyperlocal root and forward-addr'es for DoT.
> 2) What I did before the error occured
> I manually started an 'autoupdatelocalroot' script that checks if the local copy of root.hints is outdated and if so, creates a newer version of https://www.internic.net/domain/named.root and saves it locally. This update script has worked for many times already. This time, however, it seems something went wrong somewhere.
> 3) What is the problem
> Pihole now displays every DNS request as 'bogus'. If I turn DNSSEC off in pihole, host name resolution works again. However, DNSSEC was turned on all the time in pihole before and it worked flawlessly for months. So it can't be that pihole setting.
> 4) What I found out
> "dig mail.de @" returns NOERROR and the ad-flag is set. (This command avoids both unbound and pihole).
> "dig mail.de @ -p 5353" returns NOERROR, *but the ad-flag is missing*. (This command uses unbound, but avoids pihole)
> "dig mail.de @ -p 53" returns SERVFAIL and ad-flag missing (using unbound and pihole, latter one with DNSSEC=yes)
> "dig mail.de @ -p 53" returns NOERROR, but missing ad-flag. (using unbound and pihole, latter one with DNSSEC=no)
> Because of the missing ad-flag in the second example I suspect something messed up the DNSSEC configuration.
> 5) What I tried
> - I restored the previous root.hints file but to no avail. Same error.
> I wonder if roots.hint and root.key are in some way linked to each other or if each of them be changed independently?
> - I tried "sudo -u unbound unbound-anchor -v". It returns:
> /var/lib/unbound/root.key has content
> fail: the anchor is NOT ok and could not be fixed
> - I restored the previous root.key file. Oddly enough, the ad-flag comes back (second command above), but pihole still displays every dns request as bogus. -.-
> 6) My config files
> root-auto-trust-anchor-file:
> server:
>     # The following line will configure unbound to perform cryptographic
>     # DNSSEC validation using the root trust anchor.
>     auto-trust-anchor-file: "/var/lib/unbound/root.key"
> root.key before unbound-anchor (using this file also makes the ad-flag appear):
> ; autotrust trust anchor file
> ;;id: . 1
> ;;last_queried: 1586243231 ;;Tue Apr  7 09:07:11 2020
> ;;last_success: 1586243231 ;;Tue Apr  7 09:07:11 2020
> ;;next_probe_time: 1586329189 ;;Wed Apr  8 08:59:49 2020
> ;;query_failed: 0
> ;;query_interval: 86400
> ;;retry_time: 17280
> .    86400    IN    DNSKEY    257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1577624636 ;;Sun Dec 29 14:03:56 2019
> root.key after I deleted root.key manually and ran unbound-anchor (using this file makes the ad-flag disappear):
> . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
> . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
> I'm lost. What can I do to set up a working and up-to-date root.key and DNSSEC configuration again? I'd also love to be able to set DNSSEC=yes in pihole as it was before for many months.

More information about the Unbound-users mailing list