Date: Thu, 13 Nov 2014 11:39:53 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 194991] New: dns/dnscrypt-proxy with DNSSEC fails Message-ID: <bug-194991-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194991 Bug ID: 194991 Summary: dns/dnscrypt-proxy with DNSSEC fails Product: Ports Tree Version: Latest Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: Normal Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: zaphod@berentweb.com CC: freebsd@dns-lab.com CC: freebsd@dns-lab.com Flags: maintainer-feedback?(freebsd@dns-lab.com) * I have unbound -> dnscrypt-proxy running in a jail. * In the jail's rc.conf, I have local_unbound_enable="YES" dnscrypt_proxy_flags="-d -a 127.0.0.1:9040 -R dnscrypt.eu-nl" dnscrypt_proxy_enable="YES" * When the jail starts with DNSSEC enabled in unbound.conf, all DNS lookups fail due to validation. This means, lookups succeed, but validations fail with messages like: rrset failed to verify due to a lack of signatures Failed to match any usable anchor to a DNSKEY. autotrust: validate DNSKEY with anchor: sec_status_bogus autotrust: dnskey did not verify. autotrust: write to disk: /var/unbound/root.key.3269-0 autotrust: replaced /var/unbound/root.key rrset failed to verify due to a lack of signatures Failed to match any usable anchor to a DNSKEY. validate keys with anchor(DS): sec_status_bogus failed to prime trust anchor -- DNSKEY rrset is not secure * THE SOLUTION: When the jail starts, "# jexec dns-jail csh" (chroot to jail), kill dnscrypt-proxy and unbound, then resart with dns-jail#> unbound dns-jail#> dnscrypt-proxy -d -a 127.0.0.1:port -R <resolver> --NOTES-- * The above is valid for unbound from ports AND from src (base) * Modifying rc.d/unbound as suggested in bug report does not solve the issue https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194975 * Other info on the topic here: https://github.com/jedisct1/dnscrypt-proxy/issues/161#issuecomment-62744087 --- Comment #1 from Bugzilla Automation <bugzilla@FreeBSD.org> --- Maintainer CC'd -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-194991-13>