failed to prime trust anchor

[Petr Menšík]

This happens often when used forwarder filters out DNSSEC records like
RRSIG.

If you are not using forwarders, someone on your connection might
intercept those queries and answer them instead of root servers, without
proper signatures. If that were the case, you should not use such
connection.

Try command "dig +dnssec @a.root-servers.net | grep RRSIG" for any root
server you want to check. It should always deliver RRSIG.

root-servers.net should not have DNSKEY, they are unsigned. That is okay.

Ensure you have dnskey query working:

unbound-host -rvD -t dnskey .

that should report (secure) for all queries.

On 5/1/22 20:43, dy1977--- via Unbound-users wrote:
> Hello
>
> I am facing a sudden problem on several devices :
>
> lists of errors in Unboud log :
>
> info: generate keytag query _ta-4f66. NULL IN
> info: failed to prime trust anchor -- could not fetch DNSKEY rrset .
> DNSKEY IN
>
> 100 lines of that, around 10 times the first line, and 90 times the
> second.
>
> and after that :
>
> info: validation failure <e.root-servers.net. A IN>: no DNSKEY rrset
> from 192.36.148.17 and 192.36.148.17 and (...)  for trust anchor .
> while building chain of trust
>
> and this repeated for b.root..., c.root... and so on.
>
> At the place where I wrote (...) a list of Ip addresses, which can be
> the same address repeated up to 25 times, or different addresses, some
> repeated and others no.
>
> Sometimes using unbound-anchor seemed to fix the problem, other times
> no. The command is successful, but the messages still appear.
>
> These errors appear suddenly for un unknown reason.
>
> I saw in a PfSense forum that this may come from having dnssec anb
> forwarding at the same time. But forwarding is not used here.
>
> Any clue to understand would be appreciated.
>
> Thanks
>
> Dysmas
>
>
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB