Discuss mailing list

[R4SAS <r4sas AT i2pd.xyz>]

Hello, can you share you configuration file?
I can get only icann zones signed, but opennic zones left insecure.

# unbound-host -C /etc/unbound/unbound.conf -v ns5.opennic.glue
ns5.opennic.glue has address 94.103.153.176 (insecure)
ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3 
(insecure)
ns5.opennic.glue has no mail handler record (insecure)

# unbound-host -C /etc/unbound/unbound.conf -v 
sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 
(secure)
sigok.verteiltesysteme.net has no mail handler record (secure)

On 2022-01-21 22:32, Jérémy Bondon wrote:
> Hello,
>
> I am currently running Unbound on a Raspberry Pi with Arch Linux.
>
> I don't remember where I got this, but this is the answer I found when
> trying to setup DNSKEY :
>
> dig @168.119.153.26 dnskey . | dnssec-dsfromkey -2 -f - . >
> /etc/unbound/opennic.dnskey
>
> And here is the result :
>
> sudo -u unbound unbound-host -C /etc/unbound/unbound.conf -v
> sigok.verteiltesysteme.net
> sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
> sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139
> (secure)
> sigok.verteiltesysteme.net has no mail handler record (secure)
>
> sudo -u unbound unbound-host -C /etc/unbound/unbound.conf -v
> ns5.opennic.glue
> ns5.opennic.glue has address 94.103.153.176 (secure)
> ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3
> (secure)
> ns5.opennic.glue has no mail handler record (secure)
>
> On 21/01/2022 19:23, register2021 wrote:
>
> > Hello,
> >
> > I have unbound installed in Ubuntu 20.04 with apt install unbound.
> >
> > I have created hints file:
> >
> > dig . NS @161.97.219.84 > /etc/unbound/opennic.cache
> >
> > I have also created trust anchor file:
> >
> > sudo -u unbound unbound-anchor -r /etc/unbound/opennic.cache -a
> > /var/lib/unbound/opennic.key
> >
> > when i use it in unbound.conf like
> >
> > trust-anchor-file: "/var/lib/unbound/opennic.key"
> >
> > it fails. But when i create a key file:
> >
> > sudo -u unbound dig DNSKEY . @161.97.219.84 >
> > /var/lib/unbound/opennic.dnskey
> >
> > and put it in the config like:
> >
> > trusted-keys-file: "/var/lib/unbound/opennic.dnskey"
> >
> > it starts without errors.
> >
> > But i suspect that it does not use DNSSEC.
> >
> > root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v
> > sigok.verteiltesysteme.net
> > sigok.verteiltesysteme.net has address 134.91.78.139 (insecure)
> > sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139
> > (insecure)
> > sigok.verteiltesysteme.net has no mail handler record (insecure)
> >
> > (should be secure, it was secure under icann.root.hints)
> >
> > root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v
> > ns5.opennic.glue
> > ns5.opennic.glue has address 94.103.153.176 (insecure)
> > ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3
> > (insecure)
> > ns5.opennic.glue has no mail handler record (insecure)
> >
> > Here i dont know, if it should be secure or not...... It looks like
> > DNSSEC is NOT working anymore.
> >
> > Unbound does not like multiple hints and keys, so i had to use only
> > opennic's parameters.
> >
> > Maybe it is extremely bound to ICANN, it looks like hard-coded, and
> > there is no alternative configs laying around...
> >
> > --------------------------------------------------------
> >
> > On 21/01/2022 03:48, Rouben wrote:
> >
> > > Did you install the OpenNIC root keys? Unbound and BIND come with
> > > default DNSSEC keys which are not valid for OpenNIC servers.
> > >
> > > See https://wiki.opennic.org/opennic/dnssec
> > > This page is for BIND, but you can adapt it for unbound, based on
> > > the documentation here:
> > > https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/
> > >
> > > Also there is an unbound wiki page, but it needs work. Since
> > > you’re running unbound, perhaps you could consider updating that
> > > page for the benefit of others who wish to run unbound?
> > > Sample config without DNSSEC:
> > > https://wiki.opennic.org/tier_2_unbound
> > > Old wiki page without DNSSEC:
> https://web.archive.org/web/20160904020628/http://wiki.opennicproject.org:80/Tier2ConfigUnbound
> > > Let me know if you want to work on this; I wanted to try unbound
> > > myself but just never got around to setting it up. Maybe together
> > > we can somehow divide the work?
> > >
> > > Rouben
> > >
> > > On Thu, Jan 20, 2022 at 14:24 <register2021 AT dimtim.eu> wrote:
> > >
> > > Hello,
> > > I have installed personal unbound resolver on Ubuntu 20.04
> > > with
> > > default
> > > configuration and it works OK in my home network.
> > > When i add just 1 line:
> > > root-hints: "/etc/unbound/opennic.cache"
> > > to the unbound.conf, my server starts with status OK, but
> > > stops
> > > resolving and
> > > gives SERVFAIL errors on dig commands. This line breaks it.
> > > When i
> > > comment it
> > > out, after restart it works properly (but of course, not
> > > seeing
> > > opennic
> > > domains).
> > >
> > > journalctl -xe
> > > gives multiple errors of this type:
> > > info: failed to prime trust anchor -- DNSKEY rrset is not
> > > secure .
> > > DNSKEY IN
> > >
> > > also:
> > > unbound-host -C /etc/unbound/unbound.conf -v
> > > sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
> > > [1]
> > > sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
> > > [1] has
> > > address 134.91.78.139 (BOGUS (security
> > > failure))
> > > validation failure <sigok.verteiltesysteme.net
> > > <http://sigok.verteiltesysteme.net> [1]. A IN>: signature
> > > missing from
> > > 161.97.219.84 for trust anchor . while building chain of trust
> > >
> > > sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
> > > [1] has
> > > IPv6 address 2001:638:501:8efc::139 (BOGUS
> > > (security failure))
> > >
> > > Do you support widely used, actively developed and easy to
> > > configure unbound
> > > resolver? It looks you don't.. I did not find any post here
> > > when i
> > > searched
> > > for "unbound".
> > > Do you plan to support it?
> > > Thanks
> > >
> > > --------
> > > You are a member of the OpenNIC Discuss list.
> > > You may unsubscribe by emailing
> > > discuss-unsubscribe AT lists.opennicproject.org
> > >
> > > --
> > > Rouben
> > >
> > > --------
> > > You are a member of the OpenNIC Discuss list.
> > > You may unsubscribe by
> > > emailingdiscuss-unsubscribe AT lists.opennicproject.org
> >
> > --------
> > You are a member of the OpenNIC Discuss list.
> > You may unsubscribe by emailing
> > discuss-unsubscribe AT lists.opennicproject.org
>
>
>
> Links:
> ------
> [1] http://sigok.verteiltesysteme.net
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing 
> discuss-unsubscribe AT lists.opennicproject.org