[Bug 194991] New: dns/dnscrypt-proxy with DNSSEC fails
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Nov 13 11:39:54 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194991
Bug ID: 194991
Summary: dns/dnscrypt-proxy with DNSSEC fails
Product: Ports Tree
Version: Latest
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Many People
Priority: Normal
Component: Individual Port(s)
Assignee: freebsd-ports-bugs at FreeBSD.org
Reporter: zaphod at berentweb.com
CC: freebsd at dns-lab.com
CC: freebsd at dns-lab.com
Flags: maintainer-feedback?(freebsd at dns-lab.com)
* I have unbound -> dnscrypt-proxy running in a jail.
* In the jail's rc.conf, I have
local_unbound_enable="YES"
dnscrypt_proxy_flags="-d -a 127.0.0.1:9040 -R dnscrypt.eu-nl"
dnscrypt_proxy_enable="YES"
* When the jail starts with DNSSEC enabled in unbound.conf, all DNS lookups
fail due to validation. This means, lookups succeed, but validations fail with
messages like:
rrset failed to verify due to a lack of signatures
Failed to match any usable anchor to a DNSKEY.
autotrust: validate DNSKEY with anchor: sec_status_bogus
autotrust: dnskey did not verify.
autotrust: write to disk: /var/unbound/root.key.3269-0
autotrust: replaced /var/unbound/root.key
rrset failed to verify due to a lack of signatures
Failed to match any usable anchor to a DNSKEY.
validate keys with anchor(DS): sec_status_bogus
failed to prime trust anchor -- DNSKEY rrset is not secure
* THE SOLUTION: When the jail starts, "# jexec dns-jail csh" (chroot to jail),
kill dnscrypt-proxy and unbound, then resart with
dns-jail#> unbound
dns-jail#> dnscrypt-proxy -d -a 127.0.0.1:port -R <resolver>
--NOTES--
* The above is valid for unbound from ports AND from src (base)
* Modifying rc.d/unbound as suggested in bug report does not solve the issue
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194975
* Other info on the topic here:
https://github.com/jedisct1/dnscrypt-proxy/issues/161#issuecomment-62744087
--- Comment #1 from Bugzilla Automation <bugzilla at FreeBSD.org> ---
Maintainer CC'd
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list