Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Nov 2014 11:39:53 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 194991] New: dns/dnscrypt-proxy with DNSSEC fails
Message-ID:  <bug-194991-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194991

            Bug ID: 194991
           Summary: dns/dnscrypt-proxy with DNSSEC fails
           Product: Ports Tree
           Version: Latest
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: Normal
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: zaphod@berentweb.com
                CC: freebsd@dns-lab.com
                CC: freebsd@dns-lab.com
             Flags: maintainer-feedback?(freebsd@dns-lab.com)

* I have unbound -> dnscrypt-proxy running in a jail.
* In the jail's rc.conf, I have
local_unbound_enable="YES"
dnscrypt_proxy_flags="-d -a 127.0.0.1:9040 -R dnscrypt.eu-nl"
dnscrypt_proxy_enable="YES"

* When the jail starts with DNSSEC enabled in unbound.conf, all DNS lookups
fail due to validation. This means, lookups succeed, but validations fail with
messages like:
rrset failed to verify due to a lack of signatures
Failed to match any usable anchor to a DNSKEY.
autotrust: validate DNSKEY with anchor: sec_status_bogus
autotrust: dnskey did not verify.
autotrust: write to disk: /var/unbound/root.key.3269-0
autotrust: replaced /var/unbound/root.key
rrset failed to verify due to a lack of signatures
Failed to match any usable anchor to a DNSKEY.
validate keys with anchor(DS): sec_status_bogus
failed to prime trust anchor -- DNSKEY rrset is not secure

* THE SOLUTION: When the jail starts, "# jexec dns-jail csh" (chroot to jail),
kill dnscrypt-proxy and unbound, then resart with
dns-jail#> unbound
dns-jail#> dnscrypt-proxy -d -a 127.0.0.1:port -R <resolver>

--NOTES--
* The above is valid for unbound from ports AND from src (base)
* Modifying rc.d/unbound as suggested in bug report does not solve the issue
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194975
* Other info on the topic here:
https://github.com/jedisct1/dnscrypt-proxy/issues/161#issuecomment-62744087

--- Comment #1 from Bugzilla Automation <bugzilla@FreeBSD.org> ---
Maintainer CC'd

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-194991-13>