DNSSEC and root.key problem

Unbound
1

Hi!

My unbound stopped working. I think I could track it down to the file root.key and DNSSEC. Unfortunately I can’t figure out how to make it work again. :confused:

  1. My system
    unbound 1.9.0 with pihole on a Raspberry Pi. My unbound uses hyperlocal root and forward-addr’es for DoT.

  2. What I did before the error occured
    I manually started an ‘autoupdatelocalroot’ script that checks if the local copy of root.hints is outdated and if so, creates a newer version of https://www.internic.net/domain/named.root and saves it locally. This update script has worked for many times already. This time, however, it seems something went wrong somewhere.

  3. What is the problem
    Pihole now displays every DNS request as ‘bogus’. If I turn DNSSEC off in pihole, host name resolution works again. However, DNSSEC was turned on all the time in pihole before and it worked flawlessly for months. So it can’t be that pihole setting.

  4. What I found out
    “dig mail.de @9.9.9.9” returns NOERROR and the ad-flag is set. (This command avoids both unbound and pihole).
    “dig mail.de @127.0.0.1 -p 5353” returns NOERROR, but the ad-flag is missing. (This command uses unbound, but avoids pihole)
    “dig mail.de @127.0.0.1 -p 53” returns SERVFAIL and ad-flag missing (using unbound and pihole, latter one with DNSSEC=yes)
    “dig mail.de @127.0.0.1 -p 53” returns NOERROR, but missing ad-flag. (using unbound and pihole, latter one with DNSSEC=no)

Because of the missing ad-flag in the second example I suspect something messed up the DNSSEC configuration.

  1. What I tried

  • I restored the previous root.hints file but to no avail. Same error.
    I wonder if roots.hint and root.key are in some way linked to each other or if each of them be changed independently?

  • I tried “sudo -u unbound unbound-anchor -v”. It returns:

/var/lib/unbound/root.key has content
fail: the anchor is NOT ok and could not be fixed

  • I restored the previous root.key file. Oddly enough, the ad-flag comes back (second command above), but pihole still displays every dns request as bogus. -.-
  1. My config files

root-auto-trust-anchor-file:
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: “/var/lib/unbound/root.key”

root.key before unbound-anchor (using this file also makes the ad-flag appear):
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1586243231 ;;Tue Apr 7 09:07:11 2020
;;last_success: 1586243231 ;;Tue Apr 7 09:07:11 2020
;;next_probe_time: 1586329189 ;;Wed Apr 8 08:59:49 2020
;;query_failed: 0
;;query_interval: 86400
;;retry_time: 17280
. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1577624636 ;;Sun Dec 29 14:03:56 2019

root.key after I deleted root.key manually and ran unbound-anchor (using this file makes the ad-flag disappear):
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

I’m lost. What can I do to set up a working and up-to-date root.key and DNSSEC configuration again? I’d also love to be able to set DNSSEC=yes in pihole as it was before for many months.

2

Hi!

My unbound stopped working. I think I could track it down to the file root.key and DNSSEC. Unfortunately I can't figure out how to make it work again. :confused:

1) My system
unbound 1.9.0 with pihole on a Raspberry Pi. My unbound uses hyperlocal root and forward-addr'es for DoT.

2) What I did before the error occured
I manually started an 'autoupdatelocalroot' script that checks if the local copy of root.hints is outdated and if so, creates a newer version of https://www.internic.net/domain/named.root and saves it locally. This update script has worked for many times already. This time, however, it seems something went wrong somewhere.

3) What is the problem
Pihole now displays every DNS request as 'bogus'. If I turn DNSSEC off in pihole, host name resolution works again. However, DNSSEC was turned on all the time in pihole before and it worked flawlessly for months. So it can't be that pihole setting.

4) What I found out
"dig mail.de @9.9.9.9" returns NOERROR and the ad-flag is set. (This command avoids both unbound and pihole).
"dig mail.de @127.0.0.1 -p 5353" returns NOERROR, *but the ad-flag is missing*. (This command uses unbound, but avoids pihole)
"dig mail.de @127.0.0.1 -p 53" returns SERVFAIL and ad-flag missing (using unbound and pihole, latter one with DNSSEC=yes)
"dig mail.de @127.0.0.1 -p 53" returns NOERROR, but missing ad-flag. (using unbound and pihole, latter one with DNSSEC=no)

Because of the missing ad-flag in the second example I suspect something messed up the DNSSEC configuration.

5) What I tried
- I restored the previous root.hints file but to no avail. Same error.
I wonder if roots.hint and root.key are in some way linked to each other or if each of them be changed independently?

- I tried "sudo -u unbound unbound-anchor -v". It returns:

/var/lib/unbound/root.key has content
fail: the anchor is NOT ok and could not be fixed

- I restored the previous root.key file. Oddly enough, the ad-flag comes back (second command above), but pihole still displays every dns request as bogus. -.-

6) My config files

root-auto-trust-anchor-file:
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

root.key before unbound-anchor (using this file also makes the ad-flag appear):
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1586243231 ;;Tue Apr 7 09:07:11 2020
;;last_success: 1586243231 ;;Tue Apr 7 09:07:11 2020
;;next_probe_time: 1586329189 ;;Wed Apr 8 08:59:49 2020
;;query_failed: 0
;;query_interval: 86400
;;retry_time: 17280
. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1577624636 ;;Sun Dec 29 14:03:56 2019

root.key after I deleted root.key manually and ran unbound-anchor (using this file makes the ad-flag disappear):
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

I'm lost. What can I do to set up a working and up-to-date root.key and DNSSEC configuration again? I'd also love to be able to set DNSSEC=yes in pihole as it was before for many months.

3

Hi.

As far as I can tell, Unbound is able to read a root.key file containing
exactly one DS, refetch the key, check the hash against the DS and --- if
successful --- rewrite the root.key file with the full DNSKEY.

According to https://www.icann.org/dns-resolvers-updating-latest-trust-anchor,
19036 is the tag for KSK2010, while 20326 is the tag for KSK2017.
The KSK for "." was replaced some time ago... I guess 2017 :slight_smile:

I suggest that you
- check the clock on your Pi (I vaguely remember another thread about
  the problem of bootstrapping NTP on systems without a battery-backed RTC)
- stop unbound, remove the line with tag 19036 from the file, restart unbound

As far as I know, root.hints and root.key are independent: the former
tells which nameservers are _likely_ authoritative for the root zone
(i.e. where to start recursion), the latter permits to validate the
response of any of them.

Regards

4

Hi Andy,

I manually started an 'autoupdatelocalroot' script that checks if the local copy
of root.hints is outdated and if so, creates a newer version of
https://www.internic.net/domain/named.root and saves it locally. This update
script has worked for many times already. This time, however, it seems something
went wrong somewhere.

Don't do this, and remove the "root-hints" option from your
unbound.conf. This will make unbound use its built-in hints. They change
rarely, so the in-built list will never be obsolete, and unbound will do
priming on startup to keep its root server addresses up to date.

The fewer things you have to fiddle around with, the easier it is to
debug things.

5) What I tried
- I restored the previous root.hints file but to no avail. Same error.
I wonder if roots.hint and root.key are in some way linked to each other or if
each of them be changed independently?

"roots.hint" and "root.key" are completely different. As I said above,
you don't need a root.hints file. The root.key file contains the trust
anchor to use for DNSSEC validation. Normally, you should not need to
touch this either, because unbound uses RFC5011 to keep it updated when
the root zone KSK is rolled.

[snip]

I can't yet see what is causing validation to fail on your pihole, but I
hope someone else can provide an answer to that.

Regards,
Anand