DNS KSK rollover, local_unbound and 11.2-STABLE

Eugene Grosbein eugen at grosbein.net
Sat Oct 13 08:00:47 UTC 2018 

13.10.2018 3:41, Dag-Erling Smørgrav wrote:

> In any case, if unbound-anchor is unable to get and validate the KSK, it
> will fall back to getting it over http (using an unvalidated DNS lookup)
> and verifying the accompanying signature against a hardcoded x509
> certificate which is valid until 2023.

Forgot to note that I've added "val-permissive-mode: yes" to the unbound.conf
after yesterday disaster to make it work for a while.

It seems that unbound blacklists root DNS servers because of "not secure" rrsets?

Oct 13 14:37:11 gw unbound: [7756:0] info: autotrust process for . DNSKEY IN
Oct 13 14:37:11 gw unbound: [7756:0] debug: rrset failed to verify: all signatures are bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: Failed to match any usable anchor to a DNSKEY.
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: validate DNSKEY with anchor: sec_status_bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: dnskey did not verify.
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: write to disk: /root.key.7756-0
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: replaced /root.key
Oct 13 14:37:11 gw unbound: [7756:0] debug: rrset failed to verify: all signatures are bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: Failed to match any usable anchor to a DNSKEY.
Oct 13 14:37:11 gw unbound: [7756:0] info: validate keys with anchor(DS): sec_status_bogus
Oct 13 14:37:11 gw unbound: [7756:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Oct 13 14:37:11 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)

# fgrep 'blacklist add' unbound.log
Oct 13 14:37:11 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 199.9.14.201 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 192.5.5.241 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:37:13 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:38:21 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:40:42 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:41:51 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:41:51 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:42:52 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 198.41.0.4 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 198.41.0.4 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 192.33.4.12 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:47:54 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:47:54 gw unbound: [7756:0] debug: blacklist add ip4 192.33.4.12 port 53 (len 16)
Oct 13 14:49:17 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)

More information about the freebsd-net mailing list