DNSSEC and root.key problem

Anand Buddhdev anandb at ripe.net
Tue Apr 7 17:09:22 UTC 2020

On 07/04/2020 16:16, Andy via Unbound-users wrote:

Hi Andy,

> I manually started an 'autoupdatelocalroot' script that checks if the local copy 
> of root.hints is outdated and if so, creates a newer version of 
> https://www.internic.net/domain/named.root and saves it locally. This update 
> script has worked for many times already. This time, however, it seems something 
> went wrong somewhere.

Don't do this, and remove the "root-hints" option from your
unbound.conf. This will make unbound use its built-in hints. They change
rarely, so the in-built list will never be obsolete, and unbound will do
priming on startup to keep its root server addresses up to date.

The fewer things you have to fiddle around with, the easier it is to
debug things.

> 5) What I tried
> - I restored the previous root.hints file but to no avail. Same error.
> I wonder if roots.hint and root.key are in some way linked to each other or if 
> each of them be changed independently?

"roots.hint" and "root.key" are completely different. As I said above,
you don't need a root.hints file. The root.key file contains the trust
anchor to use for DNSSEC validation. Normally, you should not need to
touch this either, because unbound uses RFC5011 to keep it updated when
the root zone KSK is rolled.


I can't yet see what is causing validation to fail on your pihole, but I
hope someone else can provide an answer to that.


More information about the Unbound-users mailing list