From owner-freebsd-net@freebsd.org  Sat Oct 13 08:00:47 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54D4210B9F92
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sat, 13 Oct 2018 08:00:47 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:d12:604::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C83BA8E67A
 for <freebsd-net@freebsd.org>; Sat, 13 Oct 2018 08:00:46 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id w9D80d8Z005153
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Sat, 13 Oct 2018 10:00:40 +0200 (CEST)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: des@des.no
Received: from [10.58.0.4] ([10.58.0.4])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id w9D80dhV088995
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Sat, 13 Oct 2018 15:00:39 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: DNS KSK rollover, local_unbound and 11.2-STABLE
To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>
References: <5BC046FB.9080906@grosbein.net> <861s8uaodn.fsf@next.des.no>
Cc: freebsd-net <freebsd-net@freebsd.org>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <d3f2d5cb-20a2-6868-55ae-9dd5181d997a@grosbein.net>
Date: Sat, 13 Oct 2018 15:00:33 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <861s8uaodn.fsf@next.des.no>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,SPF_PASS
 autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Oct 2018 08:00:47 -0000

13.10.2018 3:41, Dag-Erling Smørgrav wrote:

> In any case, if unbound-anchor is unable to get and validate the KSK, it
> will fall back to getting it over http (using an unvalidated DNS lookup)
> and verifying the accompanying signature against a hardcoded x509
> certificate which is valid until 2023.

Forgot to note that I've added "val-permissive-mode: yes" to the unbound.conf
after yesterday disaster to make it work for a while.

It seems that unbound blacklists root DNS servers because of "not secure" rrsets?

Oct 13 14:37:11 gw unbound: [7756:0] info: autotrust process for . DNSKEY IN
Oct 13 14:37:11 gw unbound: [7756:0] debug: rrset failed to verify: all signatures are bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: Failed to match any usable anchor to a DNSKEY.
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: validate DNSKEY with anchor: sec_status_bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: dnskey did not verify.
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: write to disk: /root.key.7756-0
Oct 13 14:37:11 gw unbound: [7756:0] debug: autotrust: replaced /root.key
Oct 13 14:37:11 gw unbound: [7756:0] debug: rrset failed to verify: all signatures are bogus
Oct 13 14:37:11 gw unbound: [7756:0] debug: Failed to match any usable anchor to a DNSKEY.
Oct 13 14:37:11 gw unbound: [7756:0] info: validate keys with anchor(DS): sec_status_bogus
Oct 13 14:37:11 gw unbound: [7756:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Oct 13 14:37:11 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)

# fgrep 'blacklist add' unbound.log
Oct 13 14:37:11 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 199.9.14.201 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 192.5.5.241 port 53 (len 16)
Oct 13 14:37:12 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:37:13 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:38:20 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:38:21 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:39:23 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:40:41 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:40:42 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:41:50 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:41:51 gw unbound: [7756:0] debug: blacklist add ip4 193.0.14.129 port 53 (len 16)
Oct 13 14:41:51 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:42:52 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 198.97.190.53 port 53 (len 16)
Oct 13 14:42:53 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:44:02 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 198.41.0.4 port 53 (len 16)
Oct 13 14:45:17 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 198.41.0.4 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 192.33.4.12 port 53 (len 16)
Oct 13 14:46:32 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add ip4 192.36.148.17 port 53 (len 16)
Oct 13 14:47:53 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:47:54 gw unbound: [7756:0] debug: blacklist add ip4 192.58.128.30 port 53 (len 16)
Oct 13 14:47:54 gw unbound: [7756:0] debug: blacklist add ip4 192.33.4.12 port 53 (len 16)
Oct 13 14:49:17 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 202.12.27.33 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 192.203.230.10 port 53 (len 16)
Oct 13 14:49:18 gw unbound: [7756:0] debug: blacklist add ip4 199.7.83.42 port 53 (len 16)
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add: cache
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add ip4 199.7.91.13 port 53 (len 16)
Oct 13 14:50:53 gw unbound: [7756:0] debug: blacklist add ip4 192.112.36.4 port 53 (len 16)