Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Jul 2020 17:19:57 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 248239] local_unbound: Fails to resolve europris.no fail after 11.3->11.4 upgrade
Message-ID:  <bug-248239-7501-sWDcmZn0Da@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-248239-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-248239-7501@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248239

Chris Hutchinson <portmaster@bsdforge.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |portmaster@bsdforge.com

--- Comment #14 from Chris Hutchinson <portmaster@bsdforge.com> ---
Unless the version of unbound I'm running is newer
than the version in question. The answer I get is
is correct:

# head -n3 unbound.log | grep start
Jan 26 11:11:58 unbound[63414:0] info: start of service (unbound 1.7.3).

# drill -v
drill version 1.6.17 (ldns version 1.6.17)
Written by NLnet Labs.

Copyright (c) 2004-2008 NLnet Labs.
Licensed under the revised BSD license.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.

# drill -TD europris.no.
;; Number of trusted keys: 1
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id =3D 46594 (zsk), size =3D 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id =3D 20326 (ksk), size =3D 2048b}
Checking if signing key is trusted:
New key: .      172800  IN      DNSKEY  256 3 8 <LONG-HASH> ;{id =3D 46594 =
(zsk),
size =3D 2048b}
        Trusted key: .  172800  IN      DNSKEY  257 3 8 <LONG-HASH> ;{id =3D
20326 (ksk), size =3D 2048b}
        Trusted key: .  172800  IN      DNSKEY  256 3 8 <LONG-HASH> ;{id =3D
46594 (zsk), size =3D 2048b}
Key is now trusted!
        Trusted key: .  172800  IN      DNSKEY  257 3 8 <LONG-HASH> ;{id =3D
20326 (ksk), size =3D 2048b}
[T] no. 86400 IN DS 29471 8 2 <LONG-HASH>=20
;; Domain: no.
[T] no. 3600 IN DNSKEY 257 3 8 ;{id =3D 29471 (ksk), size =3D 2048b}
no. 3600 IN DNSKEY 256 3 8 ;{id =3D 35961 (zsk), size =3D 1024b}
Checking if signing key is trusted:
New key: no.    3600    IN      DNSKEY  256 3 8 <LONG-HASH> ;{id =3D 35961 =
(zsk),
size =3D 1024b}
        Trusted key: .  172800  IN      DNSKEY  257 3 8 <LONG-HASH> ;{id =3D
20326 (ksk), size =3D 2048b}
        Trusted key: .  172800  IN      DNSKEY  256 3 8 <LONG-HASH> ;{id =3D
46594 (zsk), size =3D 2048b}
        Trusted key: .  172800  IN      DNSKEY  257 3 8 <LONG-HASH> ;{id =3D
20326 (ksk), size =3D 2048b}
        Trusted key: no.        3600    IN      DNSKEY  257 3 8 <LONG-HASH>
;{id =3D 29471 (ksk), size =3D 2048b}
        Trusted key: no.        3600    IN      DNSKEY  256 3 8 <LONG-HASH>
;{id =3D 35961 (zsk), size =3D 1024b}
Key is now trusted!
[T] europris.no. 7200 IN DS 25323 15 2 <LONG-HASH>=20
europris.no. 7200 IN DS 25323 15 4 <LONG-HASH>=20
;; Domain: europris.no.
;; Signature ok but no chain to a trusted key or ds record
[S] europris.no. 3600 IN DNSKEY 256 3 13 ;{id =3D 14997 (zsk), size =3D 256=
b}
europris.no. 3600 IN DNSKEY 257 3 15 ;{id =3D 25323 (ksk), size =3D 0b}
europris.no. 3600 IN DNSKEY 256 3 15 ;{id =3D 39946 (zsk), size =3D 0b}
europris.no. 3600 IN DNSKEY 257 3 13 ;{id =3D 46820 (ksk), size =3D 256b}
[S] europris.no.        3600    IN      A       194.63.248.52
;;[S] self sig OK; [B] bogus; [T] trusted

OTOH in any case the real solution (if required) would be from the (unbound)
developer(s).
With a WARN (from @secteam) as necessary to those affected, in the meantime.

--Chris

--=20
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248239-7501-sWDcmZn0Da>