DNS KSK rollover, local_unbound and 11.2-STABLE
Dag-Erling Smørgrav
des at des.no
Fri Oct 12 20:41:58 UTC 2018
Eugene Grosbein <eugen at grosbein.net> writes:
> It seems that 11.2-STABLE still has old unbound version 1.5.10 having
> no option trust-anchor-signaling.
>
> Can it be a reason that my home router running stable/11 r338011 as
> NanoBSD with stock local_unbound
> as DNS recursive service for LAN stopped working today?
No. If it was working before, it already had both KSKs. Try this:
% /usr/bin/host -c CH -t TXT trustanchor.unbound <router-ip>
trustanchor.unbound descriptive text ". 19036 20326"
The first number is the old KSK, the second number is the new KSK.
You can also check that your root.key has both entries:
% grep -c '^[^;]' /var/unbound/root.key
2
or just look inside:
. 172800 IN DNSKEY [...] ;{id = 19036 (ksk), size = 2048b} [...]
. 172800 IN DNSKEY [...] ;{id = 20326 (ksk), size = 2048b} [...]
In any case, if unbound-anchor is unable to get and validate the KSK, it
will fall back to getting it over http (using an unvalidated DNS lookup)
and verifying the accompanying signature against a hardcoded x509
certificate which is valid until 2023.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-net
mailing list