[Bug 194991] New: dns/dnscrypt-proxy with DNSSEC fails

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Nov 13 11:39:54 UTC 2014 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194991

            Bug ID: 194991
           Summary: dns/dnscrypt-proxy with DNSSEC fails
           Product: Ports Tree
           Version: Latest
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: Normal
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: zaphod at berentweb.com
                CC: freebsd at dns-lab.com
                CC: freebsd at dns-lab.com
             Flags: maintainer-feedback?(freebsd at dns-lab.com)

* I have unbound -> dnscrypt-proxy running in a jail.
* In the jail's rc.conf, I have
local_unbound_enable="YES"
dnscrypt_proxy_flags="-d -a 127.0.0.1:9040 -R dnscrypt.eu-nl"
dnscrypt_proxy_enable="YES"

* When the jail starts with DNSSEC enabled in unbound.conf, all DNS lookups
fail due to validation. This means, lookups succeed, but validations fail with
messages like:
rrset failed to verify due to a lack of signatures
Failed to match any usable anchor to a DNSKEY.
autotrust: validate DNSKEY with anchor: sec_status_bogus
autotrust: dnskey did not verify.
autotrust: write to disk: /var/unbound/root.key.3269-0
autotrust: replaced /var/unbound/root.key
rrset failed to verify due to a lack of signatures
Failed to match any usable anchor to a DNSKEY.
validate keys with anchor(DS): sec_status_bogus
failed to prime trust anchor -- DNSKEY rrset is not secure

* THE SOLUTION: When the jail starts, "# jexec dns-jail csh" (chroot to jail),
kill dnscrypt-proxy and unbound, then resart with
dns-jail#> unbound
dns-jail#> dnscrypt-proxy -d -a 127.0.0.1:port -R <resolver>

--NOTES--
* The above is valid for unbound from ports AND from src (base)
* Modifying rc.d/unbound as suggested in bug report does not solve the issue
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194975
* Other info on the topic here:
https://github.com/jedisct1/dnscrypt-proxy/issues/161#issuecomment-62744087

--- Comment #1 from Bugzilla Automation <bugzilla at FreeBSD.org> ---
Maintainer CC'd

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list