Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure


Chronological Thread  
  • From: Rouben <rouben AT rouben.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure
  • Date: Thu, 20 Jan 2022 21:48:33 -0500

Did you install the OpenNIC root keys? Unbound and BIND come with default DNSSEC keys which are not valid for OpenNIC servers.

See https://wiki.opennic.org/opennic/dnssec
This page is for BIND, but you can adapt it for unbound, based on the documentation here:

Also there is an unbound wiki page, but it needs work. Since you’re running unbound, perhaps you could consider updating that page for the benefit of others who wish to run unbound?
Sample config without DNSSEC: 
https://wiki.opennic.org/tier_2_unbound
Old wiki page without DNSSEC: 

Let me know if you want to work on this; I wanted to try unbound myself but just never got around to setting it up. Maybe together we can somehow divide the work?

Rouben

On Thu, Jan 20, 2022 at 14:24 <register2021 AT dimtim.eu> wrote:
Hello,
I have installed personal unbound resolver on Ubuntu 20.04 with default
configuration and it works OK in my home network.
When i add just 1 line:
root-hints: "/etc/unbound/opennic.cache"
to the unbound.conf, my server starts with status OK, but stops resolving and
gives SERVFAIL errors on dig commands. This line breaks it. When i comment it
out, after restart it works properly (but of course, not seeing opennic
domains).

journalctl -xe
gives multiple errors of this type:
info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

also:
unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security
failure))
validation failure <sigok.verteiltesysteme.net. A IN>: signature missing from
161.97.219.84 for trust anchor . while building chain of trust
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (BOGUS
(security failure))

Do you support widely used, actively developed and easy to configure unbound
resolver? It looks you don't.. I did not find any post here when i searched
for "unbound".
Do you plan to support it?
Thanks


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
--
Rouben



Archive powered by MHonArc 2.6.24.

Top of Page