discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure
Chronological Thread
- From: Jérémy Bondon <jeremy.bondon AT free.fr>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure
- Date: Sat, 22 Jan 2022 16:59:20 +0100
I will look into it and try to update it.
On 22/01/2022
00:33, Rouben wrote:
Do you mind updating the OpenNIC wiki? That very useful information and it would be a shame if it got buried in the mailing list archives. Rouben On Fri, Jan 21, 2022 at 5:32 PM Jérémy Bondon <jeremy.bondon AT free.fr> wrote:
Hello, I am currently running Unbound on a Raspberry Pi with Arch Linux. I don't remember where I got this, but this is the answer I found when trying to setup DNSKEY : dig @168.119.153.26 dnskey . | dnssec-dsfromkey -2 -f - . > /etc/unbound/opennic.dnskey And here is the result : sudo -u unbound unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net sigok.verteiltesysteme.net has address 134.91.78.139 (secure) sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (secure) sigok.verteiltesysteme.net has no mail handler record (secure) sudo -u unbound unbound-host -C /etc/unbound/unbound.conf -v ns5.opennic.glue ns5.opennic.glue has address 94.103.153.176 (secure) ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3 (secure) ns5.opennic.glue has no mail handler record (secure) On 21/01/2022 19:23, register2021 wrote: Hello, I have unbound installed in Ubuntu 20.04 with apt install unbound. I have created hints file: dig . NS @161.97.219.84 > /etc/unbound/opennic.cache I have also created trust anchor file: sudo -u unbound unbound-anchor -r /etc/unbound/opennic.cache -a /var/lib/unbound/opennic.key when i use it in unbound.conf like trust-anchor-file: "/var/lib/unbound/opennic.key" it fails. But when i create a key file: sudo -u unbound dig DNSKEY . @161.97.219.84 > /var/lib/unbound/opennic.dnskey and put it in the config like: trusted-keys-file: "/var/lib/unbound/opennic.dnskey" it starts without errors. But i suspect that it does not use DNSSEC. root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net sigok.verteiltesysteme.net has address 134.91.78.139 (insecure) sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (insecure) sigok.verteiltesysteme.net has no mail handler record (insecure) (should be secure, it was secure under icann.root.hints) root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v ns5.opennic.glue ns5.opennic.glue has address 94.103.153.176 (insecure) ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3 (insecure) ns5.opennic.glue has no mail handler record (insecure) Here i dont know, if it should be secure or not...... It looks like DNSSEC is NOT working anymore. Unbound does not like multiple hints and keys, so i had to use only opennic's parameters. Maybe it is extremely bound to ICANN, it looks like hard-coded, and there is no alternative configs laying around... -------------------------------------------------------- On 21/01/2022 03:48, Rouben wrote: Did you install the OpenNIC root keys? Unbound and BIND come with default DNSSEC keys which are not valid for OpenNIC servers. See https://wiki.opennic.org/opennic/dnssec This page is for BIND, but you can adapt it for unbound, based on the documentation here: https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/ Also there is an unbound wiki page, but it needs work. Since you’re running unbound, perhaps you could consider updating that page for the benefit of others who wish to run unbound? Sample config without DNSSEC: https://wiki.opennic.org/tier_2_unbound Old wiki page without DNSSEC: https://web.archive.org/web/20160904020628/http://wiki.opennicproject.org:80/Tier2ConfigUnbound Let me know if you want to work on this; I wanted to try unbound myself but just never got around to setting it up. Maybe together we can somehow divide the work? Rouben On Thu, Jan 20, 2022 at 14:24 <register2021 AT dimtim.eu> <register2021 AT dimtim.eu> wrote: Hello, I have installed personal unbound resolver on Ubuntu 20.04 with default configuration and it works OK in my home network. When i add just 1 line: root-hints: "/etc/unbound/opennic.cache" to the unbound.conf, my server starts with status OK, but stops resolving and gives SERVFAIL errors on dig commands. This line breaks it. When i comment it out, after restart it works properly (but of course, not seeing opennic domains). journalctl -xe gives multiple errors of this type: info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN also: unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net> <http://sigok.verteiltesysteme.net> sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net> <http://sigok.verteiltesysteme.net> has address 134.91.78.139 (BOGUS (security failure)) validation failure <sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net> <http://sigok.verteiltesysteme.net>. A IN>: signature missing from 161.97.219.84 for trust anchor . while building chain of trust sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net> <http://sigok.verteiltesysteme.net> has IPv6 address 2001:638:501:8efc::139 (BOGUS (security failure)) Do you support widely used, actively developed and easy to configure unbound resolver? It looks you don't.. I did not find any post here when i searched for "unbound". Do you plan to support it? Thanks -------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org -- Rouben -------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailingdiscuss-unsubscribe AT lists.opennicproject.org -------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org -------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
-------- You are a member of the OpenNIC Discuss list. You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
-
[opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
register2021, 01/20/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
Rouben, 01/21/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
register2021, 01/21/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
Jérémy Bondon, 01/21/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
register2021, 01/22/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
Jérémy Bondon, 01/22/2022
- Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, register2021, 01/24/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
Jérémy Bondon, 01/22/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
Rouben, 01/22/2022
- Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure, Jérémy Bondon, 01/22/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
register2021, 01/22/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
Jérémy Bondon, 01/21/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
register2021, 01/21/2022
-
Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure,
Rouben, 01/21/2022
Archive powered by MHonArc 2.6.24.