Date: Sun, 2 May 2021 20:54:56 +0200 From: <patrick.prugger@uname.at> To: "'Ryan Steinmetz'" <zi@freebsd.org> Cc: <freebsd-pkg@freebsd.org>, <dnsadm@freebsd.org> Subject: AW: DNSSEC Errors on geo.freebsd.org Message-ID: <002801d73f84$a590eb50$f0b2c1f0$@uname.at> In-Reply-To: <YI3i3w2nEmF0So/c@exodus.zi0r.com> References: <0a0c01d73ece$22f1dc60$68d59520$@uname.at> <CD0CA45E-A45D-4103-8AF3-A9759C079BE1@ultra-secure.de> <YI3i3w2nEmF0So/c@exodus.zi0r.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello everyone! After hours of debugging I found out it actually seems to be a bug in = the TLS interface of unbound 1.9.0.2 I just patched to unbound 1.13.1 from buster-backports and now it works. Thanks for your help! Best regards Patrick Prugger -----Urspr=FCngliche Nachricht----- Von: Ryan Steinmetz <zi@freebsd.org>=20 Gesendet: Sonntag, 2. Mai 2021 01:23 An: Rainer Duffner <rainer@ultra-secure.de> Cc: patrick.prugger@uname.at; freebsd-pkg@freebsd.org; = dnsadm@freebsd.org Betreff: Re: DNSSEC Errors on geo.freebsd.org On (05/02/21 01:05), Rainer Duffner wrote: > > >> Am 01.05.2021 um 23:08 schrieb patrick.prugger--- via freebsd-pkg <freebsd-pkg@freebsd.org>: >> >> Hello everyone! >> >> I just turned on DNSSEC validation on my DNS and it came to my eye=20 >> that pkg now doesn't work anymore. >> Pkg is trying to access http://pkgmir.geo.freebsd.org/ to download de = >> repository catalogue. >> >> Unfortunately it seems freebsd.org is signed with DNSSEC, but=20 >> geo.freebsd.org isn't which leads to a DNSSEC error, broken chain of trust. >> For a diagram look here: >> https://dnsviz.net/d/pkgmir.geo.freebsd.org/dnssec/ >> There's no error here and this host does indeed work fine with a = validating recursive resolver. geo.freebsd.org is delegated to a separate set of nameservers which = handle geo-based replies. DNSSEC is intentionally not present on the zone as = the software that responds with dynamic replies and does not currently = support signing those. You should investigate your setup a bit more. -r >> Does anyone here have a contact to the maintainers of the freebsd.org = >> DNS zone? >> > >https://www.freebsd.org/administration/#t-dnsadm > > > -- Ryan Steinmetz PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002801d73f84$a590eb50$f0b2c1f0$>