discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure

From: register2021 <register2021 AT dimtim.eu>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure
Date: Fri, 21 Jan 2022 19:23:31 +0100

Hello,

I have unbound installed in Ubuntu 20.04 with apt install unbound.

I have created hints file:

dig . NS @161.97.219.84 > /etc/unbound/opennic.cache

I have also created trust anchor file:

sudo -u unbound unbound-anchor -r /etc/unbound/opennic.cache -a /var/lib/unbound/opennic.key

when i use it in unbound.conf like

trust-anchor-file: "/var/lib/unbound/opennic.key"

it fails. But when i create a key file:

sudo -u unbound dig DNSKEY . @161.97.219.84 > /var/lib/unbound/opennic.dnskey

and put it in the config like:

trusted-keys-file: "/var/lib/unbound/opennic.dnskey"

it starts without errors.

But i suspect that it does not use DNSSEC.

root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (insecure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (insecure)
sigok.verteiltesysteme.net has no mail handler record (insecure)

(should be secure, it was secure under icann.root.hints)

root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v ns5.opennic.glue
ns5.opennic.glue has address 94.103.153.176 (insecure)
ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3 (insecure)
ns5.opennic.glue has no mail handler record (insecure)

Here i dont know, if it should be secure or not...... It looks like DNSSEC is NOT working anymore.

Unbound does not like multiple hints and keys, so i had to use only opennic's parameters.

Maybe it is extremely bound to ICANN, it looks like hard-coded, and there is no alternative configs laying around...

--------------------------------------------------------

On 21/01/2022 03:48, Rouben wrote:

Did you install the OpenNIC root keys? Unbound and BIND come with default DNSSEC keys which are not valid for OpenNIC servers.

See https://wiki.opennic.org/opennic/dnssec

This page is for BIND, but you can adapt it for unbound, based on the documentation here:

https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/

Also there is an unbound wiki page, but it needs work. Since you’re running unbound, perhaps you could consider updating that page for the benefit of others who wish to run unbound?

Sample config without DNSSEC:

https://wiki.opennic.org/tier_2_unbound

Old wiki page without DNSSEC:

https://web.archive.org/web/20160904020628/http://wiki.opennicproject.org:80/Tier2ConfigUnbound

Let me know if you want to work on this; I wanted to try unbound myself but just never got around to setting it up. Maybe together we can somehow divide the work?

Rouben

On Thu, Jan 20, 2022 at 14:24 <register2021 AT dimtim.eu> wrote:

Hello,
I have installed personal unbound resolver on Ubuntu 20.04 with default
configuration and it works OK in my home network.
When i add just 1 line:
root-hints: "/etc/unbound/opennic.cache"
to the unbound.conf, my server starts with status OK, but stops resolving and
gives SERVFAIL errors on dig commands. This line breaks it. When i comment it
out, after restart it works properly (but of course, not seeing opennic
domains).

journalctl -xe
gives multiple errors of this type:
info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

also:
unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (BOGUS (security
failure))
validation failure <sigok.verteiltesysteme.net. A IN>: signature missing from
161.97.219.84 for trust anchor . while building chain of trust
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (BOGUS
(security failure))

Do you support widely used, actively developed and easy to configure unbound
resolver? It looks you don't.. I did not find any post here when i searched
for "unbound".
Do you plan to support it?
Thanks

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--
Rouben


--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

[opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, register2021, 01/20/2022
- Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, Rouben, 01/21/2022
  - Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, register2021, 01/21/2022
    - Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, Jérémy Bondon, 01/21/2022
      - Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, register2021, 01/22/2022
        
        Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, Jérémy Bondon, 01/22/2022
        
        Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, register2021, 01/24/2022
      - Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, Rouben, 01/22/2022
        
        Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, Jérémy Bondon, 01/22/2022