Re: DNS KSK rollover, local_unbound and 11.2-STABLE

Eugene Grosbein Sat, 13 Oct 2018 01:38:01 -0700

13.10.2018 3:41, Dag-Erling Smørgrav wrote:

> In any case, if unbound-anchor is unable to get and validate the KSK, it
> will fall back to getting it over http (using an unvalidated DNS lookup)
> and verifying the accompanying signature against a hardcoded x509
> certificate which is valid until 2023.


Forgot to note that I've added "val-permissive-mode: yes" to the unbound.conf
after yesterday disaster to make it work for a while.

It seems that unbound blacklists root DNS servers because of "not secure" 
rrsets?

Oct 13 14:37:11 gw unbound: [7756:0] info: autotrust process for . DNSKEY IN
Oct 13 14:37:11 gw unbound: [7756:0] debug: rrset failed to verify: all 
signatures are bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: Failed to match any usable anchor 
to a DNSKEY.
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: validate DNSKEY with 
anchor: sec_status_bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: dnskey did not verify.
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: write to disk: 
/root.key.7756-0
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: replaced /root.key
Oct 13 14:37:11 gw unbound: [7756:0] debug: rrset failed to verify: all 
signatures are bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: Failed to match any usable anchor 
to a DNSKEY.
Oct 13 14:37:11 gw unbound: [7756:0] info: validate keys with anchor(DS): 
sec_status_bogus
Oct 13 14:37:11 gw unbound: [7756:0] info: failed to prime trust anchor -- 
DNSKEY rrset is not secure . DNSKEY IN
Oct 13 14:37:11 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 
port 53 (len 16)

# fgrep 'blacklist add' unbound.log
Oct 13 14:37:11 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 
port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 199.9.14.201 port 
53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 192.5.5.241 port 
53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 
53 (len 16)
Oct 13 14:37:13 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 
port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 
port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 
port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 
53 (len 16)
Oct 13 14:38:21 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 
port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 
53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 
port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 
53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 
53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 
port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 
53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 
port 53 (len 16)
Oct 13 14:40:42 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 
53 (len 16)
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 
port 53 (len 16)
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 
port 53 (len 16)
Oct 13 14:41:51 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 
53 (len 16)
Oct 13 14:41:51 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 
port 53 (len 16)
Oct 13 14:42:52 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 
port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 
port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 
port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 
53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 
port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 
port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 
53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 
53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 
port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 
53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 198.41.0.4 port 
53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 
53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 198.41.0.4 port 
53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 
53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 192.33.4.12 port 
53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 
port 53 (len 16)
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 
port 53 (len 16)
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 
53 (len 16)
Oct 13 14:47:54 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 
port 53 (len 16)
Oct 13 14:47:54 gw unbound: [7756:0] debug: blacklist add ip4 192.33.4.12 port 
53 (len 16)
Oct 13 14:49:17 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 
53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 
53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 
port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 
53 (len 16)
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 
53 (len 16)
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 
53 (len 16)


_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: DNS KSK rollover, local_unbound and 11.2-STABLE

Reply via email to