I have an OpenWRT router device which has unbound 1.4.5 bundled for it
and I haven't yet gotten around to getting cross-compilation going so I
can build something newer myself.
Yesterday, ICANN sent out notification of the root KSK Ceremony 12,
which took place on February 12th. Might be a factor?
When I went to bed at 5am US Eastern, DNS at home was working fine.
When I got up some hours later, there was no DNS resolution at home. I
got it working by disabling the DNSSEC verification in unbound on the
router.
If I use unbound-anchor (on a host where that's available) and
copy/paste that into the router's file, it still doesn't help.
With the trust anchor turned on, I get:
root@coal:/etc/unbound# unbound -dd
Nov 27 08:22:20 unbound[2919:0] notice: init module 0: validator
Nov 27 08:22:20 unbound[2919:0] notice: init module 1: iterator
Nov 27 08:22:20 unbound[2919:0] info: start of service (unbound 1.4.5).
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
[...]
Does anyone know what might be causing this? Algorithm change not
supported by ancient unbound, something else?
Yesterday, ICANN sent out notification of the root KSK Ceremony 12,
which took place on February 12th. Might be a factor?
That announcement was about the ceremony materials.
With the trust anchor turned on, I get:
root@coal:/etc/unbound# unbound -dd
Nov 27 08:22:20 unbound[2919:0] notice: init module 0: validator
Nov 27 08:22:20 unbound[2919:0] notice: init module 1: iterator
Nov 27 08:22:20 unbound[2919:0] info: start of service (unbound 1.4.5).
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
Nov 27 08:22:30 unbound[2919:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure <. DNSKEY IN>
I noticed a similar problem with a previous version. I didn't encounter the problem with version 1.4.19.
check the date on the router
I need to reboot my router regularly due to cock skew.
Good call. "Tue Nov 27" -- impressive it lasted as long as it did.
ntpd is supposed to be running and my installation notes log my setting
it up. "opkg install ntpdate", an ntpdate run later, re-enable
"auto-trust-anchor-file" in unbound.conf, and I have DNSSEC validation
running again.
% host www.dnssec-failed.org
Host www.dnssec-failed.org not found: 3(NXDOMAIN)
Thank you!
I also feel stupid for not noticing the date on the router.
ntpd is running once more, router is at stratum 3, DNSSEC working. Oh,
and syslog is being sent off the router, which it wasn't when I set
things up, so if this recurs I may actually have a history I can
examine.
