DNS KSK rollover, local_unbound and 11.2-STABLE
Dag-Erling Smørgrav
des at des.no
Sat Oct 13 12:13:58 UTC 2018
Eugene Grosbein <eugen at grosbein.net> writes:
> Why unbound daemon fails to update root.key after start?
The daemon uses a different bootstrap method than unbound-anchor, and if
I recall correctly, 1.5.10 is unable to self-boostrap when there are two
concurrent KSKs, i.e. phase E of ICANN's operational plan, although it
should work when the old key is revoked in phase F.
The local_unbound service was never intended to be started without a
network connection. You can do one of two things: either add a script
that runs after the network connection is up and stops the local_unbound
service, deletes /var/unbound/root.key, and restarts the local_unbound
service (which will run unbound-anchor before starting the daemon); or
you can try the attached patch, which a) adds the new KSK to
unbound-anchor so it doesn't need to fall back to the HTTP method and b)
works around the double-key problem.
DES
--
Dag-Erling Smørgrav - des at des.no
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound-ksk-rollover.diff
Type: text/x-patch
Size: 1437 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20181013/0ea0f993/attachment.bin>
More information about the freebsd-net
mailing list