Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure


Chronological Thread  
  • From: register2021 <register2021 AT dimtim.eu>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] unbound tier 2 / personal not working. errors hints file SERVFAIL security failure
  • Date: Sun, 6 Feb 2022 19:27:29 +0100

Ubuntu 20.04, 4 files attached.


On 06/02/2022 02:15, R4SAS wrote:
Hello, can you share you configuration file?
I can get only icann zones signed, but opennic zones left insecure.

# unbound-host -C /etc/unbound/unbound.conf -v ns5.opennic.glue
ns5.opennic.glue has address 94.103.153.176 (insecure)
ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3 (insecure)
ns5.opennic.glue has no mail handler record (insecure)

# unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (secure)
sigok.verteiltesysteme.net has no mail handler record (secure)

On 2022-01-21 22:32, Jérémy Bondon wrote:
Hello,

I am currently running Unbound on a Raspberry Pi with Arch Linux.

I don't remember where I got this, but this is the answer I found when
trying to setup DNSKEY :

dig @168.119.153.26 dnskey . | dnssec-dsfromkey -2 -f - . >
/etc/unbound/opennic.dnskey

And here is the result :

sudo -u unbound unbound-host -C /etc/unbound/unbound.conf -v
sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (secure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139
(secure)
sigok.verteiltesysteme.net has no mail handler record (secure)

sudo -u unbound unbound-host -C /etc/unbound/unbound.conf -v
ns5.opennic.glue
ns5.opennic.glue has address 94.103.153.176 (secure)
ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3
(secure)
ns5.opennic.glue has no mail handler record (secure)

On 21/01/2022 19:23, register2021 wrote:

Hello,

I have unbound installed in Ubuntu 20.04 with apt install unbound.

I have created hints file:

dig . NS @161.97.219.84 > /etc/unbound/opennic.cache

I have also created trust anchor file:

sudo -u unbound unbound-anchor -r /etc/unbound/opennic.cache -a
/var/lib/unbound/opennic.key

when i use it in unbound.conf like

trust-anchor-file: "/var/lib/unbound/opennic.key"

it fails. But when i create a key file:

sudo -u unbound dig DNSKEY . @161.97.219.84 >
/var/lib/unbound/opennic.dnskey

and put it in the config like:

trusted-keys-file: "/var/lib/unbound/opennic.dnskey"

it starts without errors.

But i suspect that it does not use DNSSEC.

root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v
sigok.verteiltesysteme.net
sigok.verteiltesysteme.net has address 134.91.78.139 (insecure)
sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139
(insecure)
sigok.verteiltesysteme.net has no mail handler record (insecure)

(should be secure, it was secure under icann.root.hints)

root@m:/etc/unbound# unbound-host -C /etc/unbound/unbound.conf -v
ns5.opennic.glue
ns5.opennic.glue has address 94.103.153.176 (insecure)
ns5.opennic.glue has IPv6 address 2a02:990:219:1:ba:1337:cafe:3
(insecure)
ns5.opennic.glue has no mail handler record (insecure)

Here i dont know, if it should be secure or not...... It looks like
DNSSEC is NOT working anymore.

Unbound does not like multiple hints and keys, so i had to use only
opennic's parameters.

Maybe it is extremely bound to ICANN, it looks like hard-coded, and
there is no alternative configs laying around...

--------------------------------------------------------

On 21/01/2022 03:48, Rouben wrote:

Did you install the OpenNIC root keys? Unbound and BIND come with
default DNSSEC keys which are not valid for OpenNIC servers.

See https://wiki.opennic.org/opennic/dnssec
This page is for BIND, but you can adapt it for unbound, based on
the documentation here:
https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/

Also there is an unbound wiki page, but it needs work. Since
you’re running unbound, perhaps you could consider updating that
page for the benefit of others who wish to run unbound?
Sample config without DNSSEC:
https://wiki.opennic.org/tier_2_unbound
Old wiki page without DNSSEC:


https://web.archive.org/web/20160904020628/http://wiki.opennicproject.org:80/Tier2ConfigUnbound


Let me know if you want to work on this; I wanted to try unbound
myself but just never got around to setting it up. Maybe together
we can somehow divide the work?

Rouben

On Thu, Jan 20, 2022 at 14:24 <register2021 AT dimtim.eu> wrote:

Hello,
I have installed personal unbound resolver on Ubuntu 20.04
with
default
configuration and it works OK in my home network.
When i add just 1 line:
root-hints: "/etc/unbound/opennic.cache"
to the unbound.conf, my server starts with status OK, but
stops
resolving and
gives SERVFAIL errors on dig commands. This line breaks it.
When i
comment it
out, after restart it works properly (but of course, not
seeing
opennic
domains).

journalctl -xe
gives multiple errors of this type:
info: failed to prime trust anchor -- DNSKEY rrset is not
secure .
DNSKEY IN

also:
unbound-host -C /etc/unbound/unbound.conf -v
sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
[1]
sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
[1] has
address 134.91.78.139 (BOGUS (security
failure))
validation failure <sigok.verteiltesysteme.net
<http://sigok.verteiltesysteme.net> [1]. A IN>: signature
missing from
161.97.219.84 for trust anchor . while building chain of trust

sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
[1] has
IPv6 address 2001:638:501:8efc::139 (BOGUS
(security failure))

Do you support widely used, actively developed and easy to
configure unbound
resolver? It looks you don't.. I did not find any post here
when i
searched
for "unbound".
Do you plan to support it?
Thanks

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org

--
Rouben

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by
emailingdiscuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org



Links:
------
[1] http://sigok.verteiltesysteme.net


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org


--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
. IN DS 60820 8 2
A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

remote-control:
# enable remote-control
control-enable: yes

server:
root-hints: "/etc/unbound/opennic.cache"
trust-anchor-file: "/var/lib/unbound/opennic.dnskey"
# the interface that is used to connect to the network (this will listen
to all interfaces)
# interface: 0.0.0.0
interface: 127.0.0.1
interface: 192.168.1.99
interface: ::0
# addresses from the IP range that are allowed to connect to the resolver
access-control: 192.168.0.0/16 allow
access-control: fe80::/10 allow
access-control: 127.0.0.0/8 allow
# more cache memory, rrset=msg*2
rrset-cache-size: 100m
msg-cache-size: 50m
statistics-interval: 0
extended-statistics: yes
# set to yes if graphing tool needs it
statistics-cumulative: no
logfile: "/var/log/unbound/unbound.log"

; <<>> DiG 9.16.1-Ubuntu <<>> . NS @161.97.219.84
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22962
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 14
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 86400 IN NS ns10.opennic.glue.
. 86400 IN NS ns4.opennic.glue.
. 86400 IN NS ns2.opennic.glue.
. 86400 IN NS ns5.opennic.glue.
. 86400 IN NS ns11.opennic.glue.
. 86400 IN NS ns8.opennic.glue.
. 86400 IN NS ns13.opennic.glue.
. 86400 IN NS ns9.opennic.glue.

;; ADDITIONAL SECTION:
ns2.opennic.glue. 7200 IN A 161.97.219.84
ns2.opennic.glue. 7200 IN AAAA 2001:470:4212:10:0:100:53:10
ns4.opennic.glue. 7200 IN A 163.172.168.171
ns5.opennic.glue. 7200 IN A 94.103.153.176
ns5.opennic.glue. 7200 IN AAAA 2a02:990:219:1:ba:1337:cafe:3
ns8.opennic.glue. 7200 IN A 178.63.116.152
ns8.opennic.glue. 7200 IN AAAA 2a01:4f8:141:4281::999
ns9.opennic.glue. 7200 IN A 209.141.36.19
ns10.opennic.glue. 7200 IN A 188.226.146.136
ns10.opennic.glue. 7200 IN AAAA 2a03:b0c0:0:1010::13f:6001
ns11.opennic.glue. 7200 IN A 198.98.51.33
ns13.opennic.glue. 7200 IN A 144.76.103.143
ns13.opennic.glue. 7200 IN AAAA 2a01:4f8:192:43a5::2

;; Query time: 119 msec
;; SERVER: 161.97.219.84#53(161.97.219.84)
;; WHEN: Fri Jan 21 17:16:43 CET 2022
;; MSG SIZE rcvd: 447




Archive powered by MHonArc 2.6.24.

Top of Page