priming and dnskey

Unbound
1

I found a packet requesting dnskey record at priming,in spite of removing
"validator" from my config.
What is the purpose of this function?
I think this function may cause trouble with KSK rollover.

2

Hi T.Suzuki,

Do you have prefetch-key enabled still? It causes the DNSKEY to be
prefetched. If so, that would just be extra data in the cache, and not
hamper KSK rollovers.

Otherwise, unbound shouldn't be fetching the DNSKEY itself then, but
downstream clients could still be asking for it.

Best regards, Wouter

3

I do not enable any key configuration.

unbound 1.6.3 (FreeBSD 11.0-RELEASE pkg)

server:
  verbosity: 1
  interface: 127.0.0.2
  msg-cache-size: 8m
  rrset-cache-size: 8m
  access-control: 127.0.0.0/8 allow
  logfile: "unbound.log"
  log-queries: yes
  root-hints: "named.cache"
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  unwanted-reply-threshold: 100000
  do-not-query-localhost: no
  # prefetch-key: no
  module-config: "iterator"
        # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
        # trust-anchor-file: ""

python:
remote-control:
  control-enable: yes

# tshark -n port 53
Capturing on 'em0'
    1 0.000000 172.16.168.136 e$B"*e(B 199.7.91.13 DNS 70 Standard query 0xca87 NS <Root> OPT
    2 0.015573 199.7.91.13 e$B"*e(B 172.16.168.136 DNS 1139 Standard query response 0xca87 NS <Root> NS f.root-servers.net NS e.root-servers.net NS i.root-servers.net NS k.root-servers.net NS a.root-servers.net NS b.root-servers.net NS d.root-servers.net NS g.root-servers.net NS h.root-servers.net NS l.root-servers.net NS m.root-servers.net NS j.root-servers.net NS c.root-servers.net RRSIG A 198.41.0.4 A 192.228.79.201 A 192.33.4.12 A 199.7.91.13 A 192.203.230.10 A 192.5.5.241 A 192.112.36.4 A 198.97.190.53 A 192.36.148.17 A 192.58.128.30 A 193.0.14.129 A 199.7.83.42 A 202.12.27.33 AAAA 2001:503:ba3e::2:30 AAAA 2001:500:200::b AAAA 2001:500:2::c AAAA 2001:500:2d::d AAAA 2001:500:a8::e AAAA 2001:500:2f::f AAAA 2001:500:12::d0d AAAA 2001:500:1::53 AAAA 2001:7fe::53 AAAA 2001:503:c27::2:30 AAAA 2001:7fd::1 AAAA 2001:500:9f::42 AAAA 2001:dc3::35 OPT
    3 0.015879 172.16.168.136 e$B"*e(B 198.41.0.4 DNS 70 Standard query 0x6795 DNSKEY <Root> OPT
    4 0.130131 198.41.0.4 e$B"*e(B 172.16.168.136 DNS 1181 Standard query response 0x6795 DNSKEY <Root> DNSKEY DNSKEY DNSKEY RRSIG OPT

4

Hi T.Suzuki,

I don't know why it is querying for the root DNSKEY for you. It should
not do that, unless a client asked for it.

Do you have verbosity 5 debug logs? Perhaps this config file is not the
actual config file used by your resolver?

Best regards, Wouter

5

Hi T.Suzuki,

I don't know why it is querying for the root DNSKEY for you. It should
not do that, unless a client asked for it.

There is no client at startup.

Do you have verbosity 5 debug logs? Perhaps this config file is not the
actual config file used by your resolver?

The config is the server's. B
Because I got verbosity 5 debug log by changing the config file.
And, I got root.key again :slight_smile:

Thank you.

# /usr/local/etc/rc.d/unbound start
Obtaining a trust anchor:.
Starting unbound.
[1501809138] unbound[11716:0] debug: creating udp4 socket 127.0.0.2 53
[1501809138] unbound[11716:0] debug: creating tcp4 socket 127.0.0.2 53
[1501809138] unbound[11716:0] debug: creating tcp6 socket ::1 8953
[1501809138] unbound[11716:0] debug: creating tcp4 socket 127.0.0.1 8953
[1501809138] unbound[11716:0] debug: setup SSL certificates
root@meme:/usr/local/etc/unbound # cat unbound.log
[1501809138] unbound[11717:0] debug: module config: "iterator"
[1501809138] unbound[11717:0] notice: init module 0: iterator
[1501809138] unbound[11717:0] debug: target fetch policy for level 0 is 3
[1501809138] unbound[11717:0] debug: target fetch policy for level 1 is 2
[1501809138] unbound[11717:0] debug: target fetch policy for level 2 is 1
[1501809138] unbound[11717:0] debug: target fetch policy for level 3 is 0
[1501809138] unbound[11717:0] debug: target fetch policy for level 4 is 0
[1501809138] unbound[11717:0] debug: total of 59485 outgoing ports available
[1501809138] unbound[11717:0] debug: start threads
[1501809138] unbound[11717:0] debug: mini-event internal user select method.
[1501809138] unbound[11717:0] debug: no config, using builtin root hints.
[1501809138] unbound[11717:0] debug: cache memory msg=66072 rrset=66072 infra=5224 val=0
[1501809138] unbound[11717:0] info: start of service (unbound 1.6.3).

6

This script is a criminal. I'm sorry.

/usr/local/etc/rc.d/unbound

start_precmd()
{
        echo -n "Obtaining a trust anchor:"
        if [ "${unbound_anchorflags}T" = "T" ]; then
                su -m unbound -c /usr/local/sbin/unbound-anchor
        else
                su -m unbound -c "/usr/local/sbin/unbound-anchor ${unbound_anchorflags}"
        fi
        echo .
        /usr/local/sbin/unbound-checkconf > /dev/null
        return $?
}