failed to prime trust anchor

Petr Menšík pemensik at
Tue May 3 15:31:32 UTC 2022

This happens often when used forwarder filters out DNSSEC records like

If you are not using forwarders, someone on your connection might
intercept those queries and answer them instead of root servers, without
proper signatures. If that were the case, you should not use such

Try command "dig +dnssec | grep RRSIG" for any root
server you want to check. It should always deliver RRSIG. should not have DNSKEY, they are unsigned. That is okay.

Ensure you have dnskey query working:

unbound-host -rvD -t dnskey .

that should report (secure) for all queries.

On 5/1/22 20:43, dy1977--- via Unbound-users wrote:
> Hello
> I am facing a sudden problem on several devices :
> lists of errors in Unboud log :
> info: generate keytag query _ta-4f66. NULL IN
> info: failed to prime trust anchor -- could not fetch DNSKEY rrset .
> 100 lines of that, around 10 times the first line, and 90 times the
> second.
> and after that :
> info: validation failure < A IN>: no DNSKEY rrset
> from and and (...)  for trust anchor .
> while building chain of trust
> and this repeated for b.root..., c.root... and so on.
> At the place where I wrote (...) a list of Ip addresses, which can be
> the same address repeated up to 25 times, or different addresses, some
> repeated and others no.
> Sometimes using unbound-anchor seemed to fix the problem, other times
> no. The command is successful, but the messages still appear.
> These errors appear suddenly for un unknown reason.
> I saw in a PfSense forum that this may come from having dnssec anb
> forwarding at the same time. But forwarding is not used here.
> Any clue to understand would be appreciated.
> Thanks
> Dysmas
Petr Menšík
Software Engineer
Red Hat,
email: pemensik at
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list