FreeBSD Mail Archives

Date:      Sat, 13 Oct 2018 15:00:33 +0700
From:      Eugene Grosbein <eugen@grosbein.net>
To:        =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>
Cc:        freebsd-net <freebsd-net@freebsd.org>
Subject:   Re: DNS KSK rollover, local_unbound and 11.2-STABLE
Message-ID:  <d3f2d5cb-20a2-6868-55ae-9dd5181d997a@grosbein.net>
In-Reply-To: <861s8uaodn.fsf@next.des.no>
References:  <5BC046FB.9080906@grosbein.net> <861s8uaodn.fsf@next.des.no>

13.10.2018 3:41, Dag-Erling Smørgrav wrote:

> In any case, if unbound-anchor is unable to get and validate the KSK, it
> will fall back to getting it over http (using an unvalidated DNS lookup)
> and verifying the accompanying signature against a hardcoded x509
> certificate which is valid until 2023.

Forgot to note that I've added "val-permissive-mode: yes" to the unbound.conf
after yesterday disaster to make it work for a while.

It seems that unbound blacklists root DNS servers because of "not secure" rrsets?

Oct 13 14:37:11 gw unbound: [7756:0] info: autotrust process for . DNSKEY IN
Oct 13 14:37:11 gw unbound: [7756:0] debug: rrset failed to verify: all signatures are bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: Failed to match any usable anchor to a DNSKEY.
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: validate DNSKEY with anchor: sec_status_bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: dnskey did not verify.
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: write to disk: /root.key.7756-0
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: replaced /root.key
Oct 13 14:37:11 gw unbound: [7756:0] debug: rrset failed to verify: all signatures are bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: Failed to match any usable anchor to a DNSKEY.
Oct 13 14:37:11 gw unbound: [7756:0] info: validate keys with anchor(DS): sec_status_bogus
Oct 13 14:37:11 gw unbound: [7756:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Oct 13 14:37:11 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)

# fgrep 'blacklist add' unbound.log
Oct 13 14:37:11 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 199.9.14.201 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 192.5.5.241 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:37:13 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:38:21 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:40:42 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:41:51 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:41:51 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:42:52 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 198.41.0.4 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 198.41.0.4 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 192.33.4.12 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:47:54 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:47:54 gw unbound: [7756:0] debug: blacklist add ip4 192.33.4.12 port 53 (len 16)
Oct 13 14:49:17 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d3f2d5cb-20a2-6868-55ae-9dd5181d997a>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation