Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure


Chronological Thread  
  • From: Jérémy Bondon <jeremy.bondon AT free.fr>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure
  • Date: Sat, 22 Jan 2022 16:59:20 +0100

I will look into it and try to update it.


On 22/01/2022 00:33, Rouben wrote:
Do you mind updating the OpenNIC wiki? That very useful information and it
would be a shame if it got buried in the mailing list archives.

Rouben


On Fri, Jan 21, 2022 at 5:32 PM Jérémy Bondon <jeremy.bondon AT free.fr> wrote:

Hello,

I am currently running Unbound on a Raspberry Pi with Arch Linux.

I don't remember where I got this, but this is the answer I found when
trying to setup DNSKEY :

dig @168.119.153.26 dnskey . | dnssec-dsfromkey -2 -f - . >
/etc/unbound/opennic.dnskey

And here is the result :

sudo -u unbound unbound-host -C /etc/unbound/unbound.conf -v
sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139
(secure)
sigok.verteiltesysteme.net has no mail handler record (secure)

sudo -u unbound unbound-host -C /etc/unbound/unbound.conf -v
ns5.opennic.glue
ns5.opennic.glue has address 94.103.153.176 (secure)
ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3 (secure)
ns5.opennic.glue has no mail handler record (secure)


On 21/01/2022 19:23, register2021 wrote:

Hello,

I have unbound installed in Ubuntu 20.04 with apt install unbound.

I have created hints file:

dig . NS @161.97.219.84 > /etc/unbound/opennic.cache

I have also created trust anchor file:

sudo -u unbound unbound-anchor -r /etc/unbound/opennic.cache -a
/var/lib/unbound/opennic.key

when i use it in unbound.conf like

trust-anchor-file: "/var/lib/unbound/opennic.key"

it fails. But when i create a key file:

sudo -u unbound dig DNSKEY . @161.97.219.84 >
/var/lib/unbound/opennic.dnskey

and put it in the config like:

trusted-keys-file: "/var/lib/unbound/opennic.dnskey"

it starts without errors.

But i suspect that it does not use DNSSEC.

root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v
sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (insecure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139
(insecure)
sigok.verteiltesysteme.net has no mail handler record (insecure)

(should be secure, it was secure under icann.root.hints)

root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v
ns5.opennic.glue
ns5.opennic.glue has address 94.103.153.176 (insecure)
ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3 (insecure)
ns5.opennic.glue has no mail handler record (insecure)

Here i dont know, if it should be secure or not...... It looks like DNSSEC
is NOT working anymore.

Unbound does not like multiple hints and keys, so i had to use only
opennic's parameters.

Maybe it is extremely bound to ICANN, it looks like hard-coded, and there
is no alternative configs laying around...

--------------------------------------------------------

On 21/01/2022 03:48, Rouben wrote:

Did you install the OpenNIC root keys? Unbound and BIND come with default
DNSSEC keys which are not valid for OpenNIC servers.

See https://wiki.opennic.org/opennic/dnssec
This page is for BIND, but you can adapt it for unbound, based on the
documentation here:
https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/

Also there is an unbound wiki page, but it needs work. Since you’re
running unbound, perhaps you could consider updating that page for the
benefit of others who wish to run unbound?
Sample config without DNSSEC:
https://wiki.opennic.org/tier_2_unbound
Old wiki page without DNSSEC:

https://web.archive.org/web/20160904020628/http://wiki.opennicproject.org:80/Tier2ConfigUnbound

Let me know if you want to work on this; I wanted to try unbound myself
but just never got around to setting it up. Maybe together we can somehow
divide the work?

Rouben

On Thu, Jan 20, 2022 at 14:24 <register2021 AT dimtim.eu>
<register2021 AT dimtim.eu> wrote:

    Hello,
    I have installed personal unbound resolver on Ubuntu 20.04 with
    default
    configuration and it works OK in my home network.
    When i add just 1 line:
    root-hints: "/etc/unbound/opennic.cache"
    to the unbound.conf, my server starts with status OK, but stops
    resolving and
    gives SERVFAIL errors on dig commands. This line breaks it. When i
    comment it
    out, after restart it works properly (but of course, not seeing
    opennic
    domains).

    journalctl -xe
    gives multiple errors of this type:
    info: failed to prime trust anchor -- DNSKEY rrset is not secure .
    DNSKEY IN

    also:
    unbound-host -C /etc/unbound/unbound.conf -v
    sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
<http://sigok.verteiltesysteme.net>
    sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
<http://sigok.verteiltesysteme.net> has
    address 134.91.78.139 (BOGUS (security
    failure))
    validation failure <sigok.verteiltesysteme.net
    <http://sigok.verteiltesysteme.net>
<http://sigok.verteiltesysteme.net>. A IN>: signature missing from
    161.97.219.84 for trust anchor . while building chain of trust
    sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
<http://sigok.verteiltesysteme.net> has
    IPv6 address 2001:638:501:8efc::139 (BOGUS
    (security failure))

    Do you support widely used, actively developed and easy to
    configure unbound
    resolver? It looks you don't.. I did not find any post here when i
    searched
    for "unbound".
    Do you plan to support it?
    Thanks


    --------
    You are a member of the OpenNIC Discuss list.
    You may unsubscribe by emailing
    discuss-unsubscribe AT lists.opennicproject.org

--
Rouben


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by
emailingdiscuss-unsubscribe AT lists.opennicproject.org


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org


      

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.24.

Top of Page