Date: Fri, 12 Oct 2018 22:41:56 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Eugene Grosbein <eugen@grosbein.net> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: DNS KSK rollover, local_unbound and 11.2-STABLE Message-ID: <861s8uaodn.fsf@next.des.no> In-Reply-To: <5BC046FB.9080906@grosbein.net> (Eugene Grosbein's message of "Fri, 12 Oct 2018 14:02:19 %2B0700") References: <5BC046FB.9080906@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein <eugen@grosbein.net> writes:
> It seems that 11.2-STABLE still has old unbound version 1.5.10 having
> no option trust-anchor-signaling.
>
> Can it be a reason that my home router running stable/11 r338011 as
> NanoBSD with stock local_unbound
> as DNS recursive service for LAN stopped working today?
No. If it was working before, it already had both KSKs. Try this:
% /usr/bin/host -c CH -t TXT trustanchor.unbound <router-ip>
trustanchor.unbound descriptive text ". 19036 20326"
The first number is the old KSK, the second number is the new KSK.
You can also check that your root.key has both entries:
% grep -c '^[^;]' /var/unbound/root.key
2
or just look inside:
. 172800 IN DNSKEY [...] ;{id =3D 19036 (ksk), size =3D 2048b} [...]
. 172800 IN DNSKEY [...] ;{id =3D 20326 (ksk), size =3D 2048b} [...]
In any case, if unbound-anchor is unable to get and validate the KSK, it
will fall back to getting it over http (using an unvalidated DNS lookup)
and verifying the accompanying signature against a hardcoded x509
certificate which is valid until 2023.
DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?861s8uaodn.fsf>