Date: Sat, 1 May 2021 19:23:11 -0400 From: Ryan Steinmetz <zi@freebsd.org> To: Rainer Duffner <rainer@ultra-secure.de> Cc: patrick.prugger@uname.at, freebsd-pkg@freebsd.org, dnsadm@freebsd.org Subject: Re: DNSSEC Errors on geo.freebsd.org Message-ID: <YI3i3w2nEmF0So/c@exodus.zi0r.com> In-Reply-To: <CD0CA45E-A45D-4103-8AF3-A9759C079BE1@ultra-secure.de> References: <0a0c01d73ece$22f1dc60$68d59520$@uname.at> <CD0CA45E-A45D-4103-8AF3-A9759C079BE1@ultra-secure.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On (05/02/21 01:05), Rainer Duffner wrote: > > >> Am 01.05.2021 um 23:08 schrieb patrick.prugger--- via freebsd-pkg <freebsd-pkg@freebsd.org>: >> >> Hello everyone! >> >> I just turned on DNSSEC validation on my DNS and it came to my eye that pkg >> now doesn't work anymore. >> Pkg is trying to access http://pkgmir.geo.freebsd.org/ to download de >> repository catalogue. >> >> Unfortunately it seems freebsd.org is signed with DNSSEC, but >> geo.freebsd.org isn't which leads to a DNSSEC error, broken chain of trust. >> For a diagram look here: >> https://dnsviz.net/d/pkgmir.geo.freebsd.org/dnssec/ >> There's no error here and this host does indeed work fine with a validating recursive resolver. geo.freebsd.org is delegated to a separate set of nameservers which handle geo-based replies. DNSSEC is intentionally not present on the zone as the software that responds with dynamic replies and does not currently support signing those. You should investigate your setup a bit more. -r >> Does anyone here have a contact to the maintainers of the freebsd.org DNS >> zone? >> > >https://www.freebsd.org/administration/#t-dnsadm > > > -- Ryan Steinmetz PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YI3i3w2nEmF0So/c>