From owner-freebsd-net@freebsd.org  Fri Oct 12 20:41:58 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F14F10CA03C
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Fri, 12 Oct 2018 20:41:58 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id 029D675459
 for <freebsd-net@freebsd.org>; Fri, 12 Oct 2018 20:41:57 +0000 (UTC)
 (envelope-from des@des.no)
Received: from next.des.no (smtp.des.no [194.63.250.102])
 by smtp.des.no (Postfix) with ESMTP id 6C5AF86B2;
 Fri, 12 Oct 2018 20:41:56 +0000 (UTC)
Received: by next.des.no (Postfix, from userid 1001)
 id 7575CB748; Fri, 12 Oct 2018 22:41:56 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Eugene Grosbein <eugen@grosbein.net>
Cc: freebsd-net <freebsd-net@freebsd.org>
Subject: Re: DNS KSK rollover, local_unbound and 11.2-STABLE
In-Reply-To: <5BC046FB.9080906@grosbein.net> (Eugene Grosbein's message of
 "Fri, 12 Oct 2018 14:02:19 +0700")
References: <5BC046FB.9080906@grosbein.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (berkeley-unix)
Date: Fri, 12 Oct 2018 22:41:56 +0200
Message-ID: <861s8uaodn.fsf@next.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 20:41:58 -0000

Eugene Grosbein <eugen@grosbein.net> writes:
> It seems that 11.2-STABLE still has old unbound version 1.5.10 having
> no option trust-anchor-signaling.
>
> Can it be a reason that my home router running stable/11 r338011 as
> NanoBSD with stock local_unbound
> as DNS recursive service for LAN stopped working today?

No.  If it was working before, it already had both KSKs.  Try this:

% /usr/bin/host -c CH -t TXT trustanchor.unbound <router-ip>
trustanchor.unbound descriptive text ". 19036 20326"

The first number is the old KSK, the second number is the new KSK.

You can also check that your root.key has both entries:

% grep -c '^[^;]' /var/unbound/root.key
2

or just look inside:

. 172800 IN DNSKEY [...] ;{id =3D 19036 (ksk), size =3D 2048b} [...]
. 172800 IN DNSKEY [...] ;{id =3D 20326 (ksk), size =3D 2048b} [...]

In any case, if unbound-anchor is unable to get and validate the KSK, it
will fall back to getting it over http (using an unvalidated DNS lookup)
and verifying the accompanying signature against a hardcoded x509
certificate which is valid until 2023.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no