DNSSEC problems

Hi all,

I'm trying again to convince my unbound to do DNSSEC. I'm not seeing
what I'm doing wrong. Here's a log snippet that covers the messages
I'm seeing as problematic:

Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<122.154.73.94.in-addr.arpa. PTR IN>: no signatures from 127.0.0.1 for
trust anchor . while building chain of trust
Jun 9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<94-73-154-122.cizgi.net.tr. A IN>: key for validation . is marked as
invalid because of a previous validation failure
<122.154.73.94.in-addr.arpa. PTR IN>: no signatures from 127.0.0.1 for
trust anchor . while building chain of trust
Jun 9 23:09:29 atlanta unbound: [3180:0] info: validation failure
<94-73-154-122.cizgi.net.tr.members.linode.com. A IN>: key for
validation . is marked as invalid because of a previous validation
failure <122.154.73.94.in-addr.arpa. PTR IN>: no signatures from
127.0.0.1 for trust anchor . while building chain of trust

The configuration:

atlanta# egrep -v "^[[:cntrl:] ]*[#;]|^$" /etc/unbound/unbound.conf
server:
  verbosity: 1
  extended-statistics: yes
  interface: 10.8.0.1
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes
  access-control: 0.0.0.0/0 refuse
  access-control: 127.0.0.0/8 allow
  access-control: 10.8.0.0/16 allow
  access-control: ::0/0 refuse
  access-control: ::1 allow
  chroot: ""
  harden-referral-path: yes
  use-caps-for-id: yes
  private-address: 10.0.0.0/8
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  private-address: 192.254.0.0/16
  private-address: fd00::/8
  private-address: fe80::/10
  do-not-query-localhost: no
  prefetch: yes
  prefetch-key: yes
  
  auto-trust-anchor-file: "/etc/unbound/root.key"
  val-log-level: 2
  
        local-zone: "parts-unknown.org." static
        local-data: "parts-unknown.org. IN A 74.207.225.79"
        local-data: "parts-unknown.org. IN MX 10 parts-unknown.org."
        local-data: "atlanta.parts-unknown.org. IN A 10.8.0.1"
        local-data: "mail.parts-unknown.org. IN A 10.8.0.1"
        local-data: "graton.parts-unknown.org. IN A 10.8.0.10"
  local-data: "graton.parts-unknown.org. IN MX 20 parts-unknown.org."
  local-data: "graton.parts-unknown.org. IN MX 10
graton.parts-unknown.org."
        local-data: "n4rky.parts-unknown.org. IN A 10.8.0.22"
        local-data: "notary.parts-unknown.org. IN A 10.8.0.1"
        local-data: "www.parts-unknown.org. IN A 74.207.225.79"
  local-data: "s.parts-unknown.org. IN A 74.207.225.79"
        local-zone: "cybernude.org." static
        local-data: "cybernude.org. IN A 173.230.137.73"
        local-data: "cybernude.org. IN MX 10 parts-unknown.org."
        local-data: "atlanta.cybernude.org. IN A 10.8.0.1"
        local-data: "graton.cybernude.org. IN A 10.8.0.10"
  local-data: "graton.cybernude.org. IN MX 20 parts-unknown.org."
  local-data: "graton.cybernude.org. IN MX 10 graton.parts-unknown.org."
        local-data: "n4rky.cybernude.org. IN A 10.8.0.22"
        local-data: "www.cybernude.org. IN A 10.8.0.10"
  local-data: "s.cybernude.org. IN A 173.230.137.73"
        local-zone: "disunitedstates.com." static
        local-data: "disunitedstates.com. IN A 173.230.137.73"
        local-data: "disunitedstates.com. IN MX 10 parts-unknown.org."
        local-data: "atlanta.disunitedstates.com. IN A 10.8.0.1"
        local-data: "graton.disunitedstates.com. IN A 10.8.0.10"
  local-data: "graton.disunitedstates.com. IN MX 10
graton.parts-unknown.org."
        local-data: "graton.disunitedstates.com. IN MX 20
parts-unknown.org."
        local-data: "n4rky.disunitedstates.com. IN A 10.8.0.22"
        local-data: "www.disunitedstates.com. IN A 173.230.137.73"
        local-data: "www.joomla.disunitedstates.com. IN A 173.230.137.73"
  local-data: "s.disunitedstates.com. IN A 173.230.137.73"
        local-zone: "disunitedstates.org." static
        local-data: "disunitedstates.org. IN A 173.230.137.76"
        local-data: "disunitedstates.org. IN MX 10 parts-unknown.org."
        local-data: "atlanta.disunitedstates.org. IN A 10.8.0.1"
        local-data: "graton.disunitedstates.org. IN A 10.8.0.10"
        local-data: "graton.disunitedstates.org. IN MX 20
parts-unknown.org."
        local-data: "graton.disunitedstates.org. IN MX 10
graton.parts-unknown.org."
        local-data: "n4rky.disunitedstates.org. IN A 10.8.0.22"
        local-data: "www.disunitedstates.org. IN A 173.230.137.76"
  local-data: "s.disunitedstates.org. IN A 173.230.137.76"
        local-zone: "n4rky.me." static
        local-data: "n4rky.me. IN A 173.230.137.73"
        local-data: "n4rky.me. IN MX 10 parts-unknown.org."
        local-data: "atlanta.n4rky.me. IN A 10.8.0.1"
        local-data: "graton.n4rky.me. IN A 10.8.0.10"
        local-data: "n4rky.n4rky.me. IN A 10.8.0.22"
        local-data: "www.n4rky.me. IN A 173.230.137.73"
  local-data: "s.n4rky.me. IN A 173.230.137.73"
  local-data-ptr: "10.8.0.1 atlanta.parts-unknown.org"
  local-data-ptr: "10.8.0.10 graton.parts-unknown.org"
  local-data-ptr: "10.8.0.22 n4rky.parts-unknown.org"
python:
remote-control:
  control-enable: yes
  control-interface: 127.0.0.1
forward-zone:
  name: "."
  forward-addr: 127.0.0.1@53

The current contents of root-key (sorry for line breaks):

atlanta# cat /etc/unbound/root.key
. IN DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

I went over this item for item. As near as I can tell it is a correct
initial value.

I run su unbound "/usr/sbin/unbound-anchor -a /etc/unbound/root.key"
but it has no effect:

atlanta# ls -al /etc/unbound/root.key
- -rw-r--r-- 1 unbound unbound 83 Jun 9 17:39 /etc/unbound/root.key

This unbound is intended to serve not only my server but an openvpn,
hence all the references to 10.8.0.x and the availability of 127.0.0.1
port 53 for dnscrypt-proxy:

atlanta# lsof -n | grep domain
unbound 3180 unbound 3u IPv4 12285662
  0t0 UDP 10.8.0.1:domain
unbound 3180 unbound 4u IPv4 12285663
  0t0 TCP 10.8.0.1:domain (LISTEN)
lua 4086 prosody 23u IPv4 2057523
  0t0 UDP 173.230.137.73:35155->75.127.97.6:domain
dnscrypt- 30415 nobody 6u IPv4 12252389
  0t0 TCP 127.0.0.1:domain (LISTEN)
dnscrypt- 30415 nobody 7u IPv4 12252390
  0t0 UDP 127.0.0.1:domain

What else should I tell you?

Thanks!
- --
David Benfell
benfell@parts-unknown.org

The current contents of root-key (sorry for line breaks):

atlanta# cat /etc/unbound/root.key
. IN DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

That looks strange to me:

        $ unbound-anchor -a /tmp/xxx -v
        /tmp/xxx does not exist
        success: the anchor is ok

        $ cat /tmp/xxx
        ; autotrust trust anchor file
        ;;id: . 1
        ;;last_queried: 1339309685 ;;Sun Jun 10 08:28:05 2012
        ;;last_success: 1339309685 ;;Sun Jun 10 08:28:05 2012
        ;;next_probe_time: 1339350455 ;;Sun Jun 10 19:47:35 2012
        ;;query_failed: 0
        ;;query_interval: 43200
        ;;retry_time: 8640
        . 172800 IN DNSKEY 257 3 8 AwEAAag [.... truncated ...]

Try obtaining your root key again.

        -JP

(Your root.key is probably fine as it contains a DS RR which is
allowed.)

I reviewed your config again and detected you are forwarding the root
zone.

forward-zone:
  name: "."
  forward-addr: 127.0.0.1@53

I think you'll have to add something like this:

        local-zone: 127.in-addr.arpa. nodefault

"nodefault" is used to turn off default contents for AS112 zones.

        -JP

Hi Jan-Piet,

local-zone: 127.in-addr.arpa. nodefault

So I added this, restarted unbound, then did:

atlanta# su unbound "/usr/sbin/unbound-anchor -a /etc/unbound/root.key -v"
atlanta# rc.d restart unbound ; tail -f /var/log/everything.log
:: Stopping unbound daemon

                                                  [DONE]
:: Starting unbound daemon

                                                  [DONE]
Jun 10 11:55:47 atlanta unbound: [30792:0] info: histogram of
recursion processing times
Jun 10 11:55:47 atlanta unbound: [30792:0] info: [25%]=0.01536
median[50%]=0.028672 [75%]=0.0503223
Jun 10 11:55:47 atlanta unbound: [30792:0] info: lower(secs)
upper(secs) recursions
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.008192 0.016384 6
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.016384 0.032768 6
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.032768 0.065536 7
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.131072 0.262144 1
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.262144 0.524288 1
Jun 10 11:55:49 atlanta unbound: [30928:0] notice: init module 0:
validator
Jun 10 11:55:49 atlanta unbound: [30928:0] notice: init module 1: iterator
Jun 10 11:55:49 atlanta unbound: [30928:0] info: start of service
(unbound 1.4.17).
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: validation failure <.
DNSKEY IN>: no signatures from 127.0.0.1 for trust anchor . while
building chain of trust

And it is as before.

Thanks!
- --
David Benfell
benfell@parts-unknown.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jan-Piet,

> local-zone: 127.in-addr.arpa. nodefault

So I added this, restarted unbound, then did:

atlanta# su unbound "/usr/sbin/unbound-anchor -a /etc/unbound/root.key -v"
atlanta# rc.d restart unbound ; tail -f /var/log/everything.log
:: Stopping unbound daemon

                                                  [DONE]
:: Starting unbound daemon

                                                  [DONE]
Jun 10 11:55:47 atlanta unbound: [30792:0] info: histogram of
recursion processing times
Jun 10 11:55:47 atlanta unbound: [30792:0] info: [25%]=0.01536
median[50%]=0.028672 [75%]=0.0503223
Jun 10 11:55:47 atlanta unbound: [30792:0] info: lower(secs)
upper(secs) recursions
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.008192 0.016384 6
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.016384 0.032768 6
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.032768 0.065536 7
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.131072 0.262144 1
Jun 10 11:55:47 atlanta unbound: [30792:0] info: 0.262144 0.524288 1
Jun 10 11:55:49 atlanta unbound: [30928:0] notice: init module 0:
validator
Jun 10 11:55:49 atlanta unbound: [30928:0] notice: init module 1: iterator
Jun 10 11:55:49 atlanta unbound: [30928:0] info: start of service
(unbound 1.4.17).
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jun 10 11:55:49 atlanta unbound: [30928:0] info: validation failure <.
DNSKEY IN>: no signatures from 127.0.0.1 for trust anchor . while
building chain of trust

And it is as before.

Thanks!

Hmmm...

Could it be a firewall problem ? For example the response might be to large ?

I don't know what kind of tooling is availble on a Mac, but I think it has 'dig'.

So maybe you could try this on the commandline ?:

dig +norec +dnssec @193.0.14.129 . NS

Hi Leen,

dig +norec +dnssec @193.0.14.129 . NS

It's not a Mac. It's a Linode running Arch Linux. Here is what I get
from the above:

atlanta% dig +norec +dnssec @193.0.14.129 . NS

; <<>> DiG 9.9.1-P1 <<>> +norec +dnssec @193.0.14.129 . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40667
;; flags: qr aa; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 23

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20120617000000 20120609230000 56158
. MlnKSG0qYXx8HZezESRIyOjnK9vInEVT5MLeEcw46Bvw1O4VPc/rpgVY
2kvi7+V51paxamrwZv7lrxlVpAopHyRayslBCjeZOoAMW0w7F8bQaJPF
NC99eiiaDpdR6mW4lkKnWeIkNwVmTVgH93INKZhYA+QLzSXwYfi1bvYR 83o=

;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 192.228.79.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 128.8.10.90
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 128.63.2.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
h.root-servers.net. 518400 IN AAAA 2001:500:1::803f:235
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:3::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35

;; Query time: 135 msec
;; SERVER: 193.0.14.129#53(193.0.14.129)
;; WHEN: Sun Jun 10 16:02:38 2012
;; MSG SIZE rcvd: 857

atlanta%

Thanks!

- --
David Benfell
benfell@parts-unknown.org

Hi David,

You can pass -v or even -vvvv to unbound-anchor, more verbosity.

You forward to 127.0.0.1 and get your DNS info there. The server
that runs in 127.0.0.1 (is not this unbound) does not seem to
support DNSSEC, it returns no signatures? Do you need to enable
dnssec on that server?

Hi Leen,

dig +norec +dnssec @193.0.14.129 . NS

It's not a Mac. It's a Linode running Arch Linux. Here is what I
get from the above:

atlanta% dig +norec +dnssec @193.0.14.129 . NS

- From this output I think that if you remove that 'forward' clause
from your config, unbound should work.

Best regards,
   Wouter

Sorry for confusing your discussion with the other.

That output looks fine to me.

Linode ? My Linode got 2 nameservers assigned which support validated DNSSEC just fine.

So maybe you don't even need Unbound ? Unless you distrust the network of course.

Anyway, I think Jan-Piet Mens is on the right track. Please remove the forward-zone for '.'
as a test. My guess is, it would start working.

It is always easier to test small parts first.

What is on the other side of dnscrypt ? OpenDNS ?

Well, OpenDNS does not support DNSSEC.

Hi Leen,

Anyway, I think Jan-Piet Mens is on the right track. Please remove
the forward-zone for '.' as a test. My guess is, it would start
working.

I have now done this--and removed the local-zone for 127.x.x.x that he
suggested--and it does appear to be running better. For one thing,
root.key now contains:

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1339440774 ;;Mon Jun 11 11:52:54 2012
;;last_success: 1339440774 ;;Mon Jun 11 11:52:54 2012
;;next_probe_time: 1339483628 ;;Mon Jun 11 23:47:08 2012
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
;;lastchange=1339440774 ;;Mon Jun 11 11:52:54 2012

We actually got an update. And I am no longer seeing the error
messages I previously reported. However, sanity check results are mixed:

atlanta# dig org. SOA +dnssec

; <<>> DiG 9.9.1-P1 <<>> org. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8196
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org. IN SOA

;; ANSWER SECTION:
org. 900 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info.
2010096315 1800 900 604800 86400
org. 900 IN RRSIG SOA 7 1 900 20120702190513 20120611180513 12189
org. bjSHMmeSeK6QE/XIHf4z/RVoJYrGnkEtyqzDiGeIeEMz0s71E/jraFj6
wElwbNFhiEs37gyyHZoYoojrLWyQsE3UC7qHRbMVCZKCG1qN19pRMeBw
eyCjqFSwcXavf+r3AZXCkQCRYqGygis4Zrki41eNrtpmkcxgP4J2WuJZ gek=

;; AUTHORITY SECTION:
org. 86400 IN NS c0.org.afilias-nst.info.
org. 86400 IN NS a2.org.afilias-nst.info.
org. 86400 IN NS b2.org.afilias-nst.org.
org. 86400 IN NS b0.org.afilias-nst.org.
org. 86400 IN NS a0.org.afilias-nst.info.
org. 86400 IN NS d0.org.afilias-nst.org.
org. 86400 IN RRSIG NS 7 1 86400 20120630155122 20120609145122 12189
org. Mh1C3+D1bMreN+SWCCumO/8OMi3SmwOquclqtmdFQA6CmTRikj8y6mfX
WFjLie6eT/oT4pSZglctE5tL3xQM+xSpG/JxmwTWtrdoWyvCXtJTY+vr
gr16QNIgoLGaofSRRWoQyt+QFO+kTSV8GtjzOf7fYg+DrdbXZkut/xbV bYE=

;; Query time: 19 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Mon Jun 11 12:05:34 2012
;; MSG SIZE rcvd: 536

atlanta# dig test.dnssec-or-not.net TXT

; <<>> DiG 9.9.1-P1 <<>> test.dnssec-or-not.net TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51755
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.dnssec-or-not.net. IN TXT

;; Query time: 1401 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Mon Jun 11 12:06:22 2012
;; MSG SIZE rcvd: 51

atlanta#

It looks like test.dnssec-or-not.net isn't working at all. And lynx on
http://dnssectest.sidn.nl/ reports that no form action is defined.
Trying http://dnssectest.sidn.nl/ from my home system (which should be
using the unbound) simply states that this test is taking unusually
long and never domes back with anything else.

It is always easier to test small parts first.

What is on the other side of dnscrypt ? OpenDNS ?

Oh, my. :facepalm

I think my intent was to connect to OpenDNS. But at the moment, I'm
failing to find where I've configured this. All I see at the moment is,

atlanta# cat /etc/conf.d/dnscrypt-proxy
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody

Well, OpenDNS does not support DNSSEC.

I'll have to look into this separately.

Thanks!
- --
David Benfell
benfell@parts-unknown.org

We actually got an update. And I am no longer seeing the error
messages I previously reported. However, sanity check results are mixed:

;test.dnssec-or-not.net. IN TXT

If you clear the cache of unbound and do:

dig +dnssec test.dnssec-or-not.net TXT

Then it might work.

It looks like test.dnssec-or-not.net isn't working at all. And lynx on
http://dnssectest.sidn.nl/ reports that no form action is defined.
Trying http://dnssectest.sidn.nl/ from my home system (which should be
using the unbound) simply states that this test is taking unusually
long and never domes back with anything else.
>

It wouldn't work in Lynx because it depends on JavaScript I think.

I guess you have nothing cached, maybe that is why it takes that long ?

It might have caches the error ?

> It is always easier to test small parts first.
>
> What is on the other side of dnscrypt ? OpenDNS ?

Oh, my. :facepalm

I think my intent was to connect to OpenDNS. But at the moment, I'm
failing to find where I've configured this. All I see at the moment is,

atlanta# cat /etc/conf.d/dnscrypt-proxy
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=53
DNSCRYPT_USER=nobody

> Well, OpenDNS does not support DNSSEC.

I'll have to look into this separately.

I think you can forward . to the Linode DNS-servers (check out the Remote Access tab of your Linode), they seem to support DNSSEC.

Thanks!

No problem.

atlanta# rc.d restart unbound
:: Stopping unbound daemon

                                                  [DONE]
:: Starting unbound daemon

                                                  [DONE]
atlanta# dig +dnssec test.dnssec-or-not.net TXT

; <<>> DiG 9.9.1-P1 <<>> +dnssec test.dnssec-or-not.net TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53853
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;test.dnssec-or-not.net. IN TXT

;; Query time: 2017 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Mon Jun 11 13:38:34 2012
;; MSG SIZE rcvd: 51

The log says:

Jun 11 13:38:34 atlanta unbound: [11057:0] info: validation failure
<test.dnssec-or-not.net. TXT IN>: no DNSSEC records from 72.13.58.79
for DS 33c708d2d35e41e0.dnssec-or-not.net. while building chain of trust

And,

atlanta# dig -x 72.13.58.79

; <<>> DiG 9.9.1-P1 <<>> -x 72.13.58.79
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4862
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;79.58.13.72.in-addr.arpa. IN PTR

;; ANSWER SECTION:
79.58.13.72.in-addr.arpa. 86400 IN PTR dnssec-or-not-ns4.verisignlabs.com.

;; AUTHORITY SECTION:
58.13.72.in-addr.arpa. 86400 IN NS ns3.verisign-grs.net.
58.13.72.in-addr.arpa. 86400 IN NS ns2.verisign-grs.net.
58.13.72.in-addr.arpa. 86400 IN NS ns1.verisign-grs.net.
58.13.72.in-addr.arpa. 86400 IN NS ns4.verisign-grs.net.

;; Query time: 727 msec
;; SERVER: 10.8.0.1#53(10.8.0.1)
;; WHEN: Mon Jun 11 13:40:43 2012
;; MSG SIZE rcvd: 189

Just not sure what to make of that.

As for the other, I tried clearing the browsing history and the cache
but the result is the same.

- --
David Benfell
benfell@parts-unknown.org