[Bug 248239] local_unbound: Fails to resolve europris.no fail after 11.3->11.4 upgrade

Mon Jul 27 17:19:58 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248239

Chris Hutchinson <portmaster at bsdforge.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |portmaster at bsdforge.com

--- Comment #14 from Chris Hutchinson <portmaster at bsdforge.com> ---
Unless the version of unbound I'm running is newer
than the version in question. The answer I get is
is correct:

# head -n3 unbound.log | grep start
Jan 26 11:11:58 unbound[63414:0] info: start of service (unbound 1.7.3).

# drill -v
drill version 1.6.17 (ldns version 1.6.17)
Written by NLnet Labs.

Copyright (c) 2004-2008 NLnet Labs.
Licensed under the revised BSD license.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.

# drill -TD europris.no.
;; Number of trusted keys: 1
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 46594 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: .      172800  IN      DNSKEY  256 3 8 <LONG-HASH> ;{id = 46594 (zsk),
size = 2048b}
        Trusted key: .  172800  IN      DNSKEY  257 3 8 <LONG-HASH> ;{id =
20326 (ksk), size = 2048b}
        Trusted key: .  172800  IN      DNSKEY  256 3 8 <LONG-HASH> ;{id =
46594 (zsk), size = 2048b}
Key is now trusted!
        Trusted key: .  172800  IN      DNSKEY  257 3 8 <LONG-HASH> ;{id =
20326 (ksk), size = 2048b}
[T] no. 86400 IN DS 29471 8 2 <LONG-HASH> 
;; Domain: no.
[T] no. 3600 IN DNSKEY 257 3 8 ;{id = 29471 (ksk), size = 2048b}
no. 3600 IN DNSKEY 256 3 8 ;{id = 35961 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: no.    3600    IN      DNSKEY  256 3 8 <LONG-HASH> ;{id = 35961 (zsk),
size = 1024b}
        Trusted key: .  172800  IN      DNSKEY  257 3 8 <LONG-HASH> ;{id =
20326 (ksk), size = 2048b}
        Trusted key: .  172800  IN      DNSKEY  256 3 8 <LONG-HASH> ;{id =
46594 (zsk), size = 2048b}
        Trusted key: .  172800  IN      DNSKEY  257 3 8 <LONG-HASH> ;{id =
20326 (ksk), size = 2048b}
        Trusted key: no.        3600    IN      DNSKEY  257 3 8 <LONG-HASH>
;{id = 29471 (ksk), size = 2048b}
        Trusted key: no.        3600    IN      DNSKEY  256 3 8 <LONG-HASH>
;{id = 35961 (zsk), size = 1024b}
Key is now trusted!
[T] europris.no. 7200 IN DS 25323 15 2 <LONG-HASH> 
europris.no. 7200 IN DS 25323 15 4 <LONG-HASH> 
;; Domain: europris.no.
;; Signature ok but no chain to a trusted key or ds record
[S] europris.no. 3600 IN DNSKEY 256 3 13 ;{id = 14997 (zsk), size = 256b}
europris.no. 3600 IN DNSKEY 257 3 15 ;{id = 25323 (ksk), size = 0b}
europris.no. 3600 IN DNSKEY 256 3 15 ;{id = 39946 (zsk), size = 0b}
europris.no. 3600 IN DNSKEY 257 3 13 ;{id = 46820 (ksk), size = 256b}
[S] europris.no.        3600    IN      A       194.63.248.52
;;[S] self sig OK; [B] bogus; [T] trusted

OTOH in any case the real solution (if required) would be from the (unbound)
developer(s).
With a WARN (from @secteam) as necessary to those affected, in the meantime.

--Chris

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.