Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Oct 2018 22:41:56 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        Eugene Grosbein <eugen@grosbein.net>
Cc:        freebsd-net <freebsd-net@freebsd.org>
Subject:   Re: DNS KSK rollover, local_unbound and 11.2-STABLE
Message-ID:  <861s8uaodn.fsf@next.des.no>
In-Reply-To: <5BC046FB.9080906@grosbein.net> (Eugene Grosbein's message of "Fri, 12 Oct 2018 14:02:19 %2B0700")
References:  <5BC046FB.9080906@grosbein.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein <eugen@grosbein.net> writes:
> It seems that 11.2-STABLE still has old unbound version 1.5.10 having
> no option trust-anchor-signaling.
>
> Can it be a reason that my home router running stable/11 r338011 as
> NanoBSD with stock local_unbound
> as DNS recursive service for LAN stopped working today?

No.  If it was working before, it already had both KSKs.  Try this:

% /usr/bin/host -c CH -t TXT trustanchor.unbound <router-ip>
trustanchor.unbound descriptive text ". 19036 20326"

The first number is the old KSK, the second number is the new KSK.

You can also check that your root.key has both entries:

% grep -c '^[^;]' /var/unbound/root.key
2

or just look inside:

. 172800 IN DNSKEY [...] ;{id =3D 19036 (ksk), size =3D 2048b} [...]
. 172800 IN DNSKEY [...] ;{id =3D 20326 (ksk), size =3D 2048b} [...]

In any case, if unbound-anchor is unable to get and validate the KSK, it
will fall back to getting it over http (using an unvalidated DNS lookup)
and verifying the accompanying signature against a hardcoded x509
certificate which is valid until 2023.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?861s8uaodn.fsf>