From owner-freebsd-net@freebsd.org  Sat Oct 13 07:25:14 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48E4F10B8471
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sat, 13 Oct 2018 07:25:14 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:d12:604::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BB1CE8D352
 for <freebsd-net@freebsd.org>; Sat, 13 Oct 2018 07:25:13 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id w9D7P0Hx004917
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Sat, 13 Oct 2018 09:25:01 +0200 (CEST)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: des@des.no
Received: from [10.58.0.4] ([10.58.0.4])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id w9D7Oxt0088749
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Sat, 13 Oct 2018 14:24:59 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: DNS KSK rollover, local_unbound and 11.2-STABLE
To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>
References: <5BC046FB.9080906@grosbein.net> <861s8uaodn.fsf@next.des.no>
Cc: freebsd-net <freebsd-net@freebsd.org>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <b2e7a97c-6beb-c0cc-33ca-d8ce49775a7d@grosbein.net>
Date: Sat, 13 Oct 2018 14:24:53 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <861s8uaodn.fsf@next.des.no>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,SPF_PASS
 autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Oct 2018 07:25:14 -0000

13.10.2018 3:41, Dag-Erling Smørgrav wrote:

> Eugene Grosbein <eugen@grosbein.net> writes:
>> It seems that 11.2-STABLE still has old unbound version 1.5.10 having
>> no option trust-anchor-signaling.
>>
>> Can it be a reason that my home router running stable/11 r338011 as
>> NanoBSD with stock local_unbound
>> as DNS recursive service for LAN stopped working today?
> 
> No.  If it was working before, it already had both KSKs.

It worked a day before, and before that too.

> Try this:
> 
> % /usr/bin/host -c CH -t TXT trustanchor.unbound <router-ip>
> trustanchor.unbound descriptive text ". 19036 20326"
> 
> The first number is the old KSK, the second number is the new KSK.

# /usr/bin/host -c CH -t TXT trustanchor.unbound 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

Host trustanchor.unbound not found: 5(REFUSED)

# /usr/bin/host -c CH -t TXT version.bind 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

version.bind descriptive text "unbound 1.5.10"

> You can also check that your root.key has both entries:
> 
> % grep -c '^[^;]' /var/unbound/root.key
> 2

# grep -c '^[^;]' /var/unbound/root.key
1

This nanobsd was last updated using r338011 stable/12 sources.
Run-time changes to its RAM-based /var partition do not survive reboots, though.

> or just look inside:
> 
> . 172800 IN DNSKEY [...] ;{id = 19036 (ksk), size = 2048b} [...]
> . 172800 IN DNSKEY [...] ;{id = 20326 (ksk), size = 2048b} [...]
> 
> In any case, if unbound-anchor is unable to get and validate the KSK, it
> will fall back to getting it over http (using an unvalidated DNS lookup)
> and verifying the accompanying signature against a hardcoded x509
> certificate which is valid until 2023.

# cat /var/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1539414586 ;;Sat Oct 13 14:09:46 2018
;;last_success: 1451318744 ;;Mon Dec 28 23:05:44 2015
;;next_probe_time: 1539415104 ;;Sat Oct 13 14:18:24 2018
;;query_failed: 159
;;query_interval: 43200
;;retry_time: 8640
.       172800  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1448912140 ;;Tue Dec  1 02:35:40 2015

I've ran unbound-anchor manually and it changed /var/unbound/root.key to:

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1539414744 ;;Sat Oct 13 14:12:24 2018
;;last_success: 1451318744 ;;Mon Dec 28 23:05:44 2015
;;next_probe_time: 1539415104 ;;Sat Oct 13 14:18:24 2018
;;query_failed: 171
;;query_interval: 43200
;;retry_time: 8640
.       172800  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1448912140 ;;Tue Dec  1 02:35:40 2015

I've ran it again in verbose mode:

# unbound-anchor -vv
/var/unbound/root.key has content
last successful probe: Mon Dec 28 23:05:44 2015
the last successful probe was more than 30 days ago
/var/unbound/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
trusted certificates (0/1)
        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
        Validity
            Not Before: Dec 23 04:19:12 2009 GMT
            Not After : Dec 18 04:19:12 2029 GMT
        Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
resolved server address 72.21.81.189
resolved server address 2606:2800:11f:bb5:f27:227f:1bbf:a0e
connect to 2606:2800:11f:bb5:f27:227f:1bbf:a0e
server SSL certificate
        Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
        Validity
            Not Before: Aug 31 00:00:00 2018 GMT
            Not After : Apr 23 12:00:00 2020 GMT
        Subject: C=US, ST=California, L=Los Angeles, O=Verizon Digital Media Services, Inc., CN=s2.wpc.edgecastcdn.net
SSL_write: GET /root-anchors/root-anchors.xml HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.5.10
SSL_write:
header: 'HTTP/1.1 200 OK'
header: 'Accept-Ranges: bytes'
header: 'Cache-Control: max-age=86400'
header: 'Content-Type: text/xml'
header: 'Date: Sat, 13 Oct 2018 07:14:35 GMT'
header: 'Etag: "28b-54794f6820000"'
header: 'Expires: Sun, 14 Oct 2018 07:14:35 GMT'
header: 'Last-Modified: Fri, 03 Feb 2017 00:00:00 GMT'
header: 'Server: ECAcc (nya/7964)'
header: 'Strict-Transport-Security: max-age=48211200; preload'
header: 'X-Cache: HIT'
header: 'X-Frame-Options: SAMEORIGIN'
header: 'Content-Length: 651'
at 0/651
read 651 data
fetched root-anchors/root-anchors.xml (651 bytes)
connect to 72.21.81.189
server SSL certificate
        Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
        Validity
            Not Before: Aug 31 00:00:00 2018 GMT
            Not After : Apr 23 12:00:00 2020 GMT
        Subject: C=US, ST=California, L=Los Angeles, O=Verizon Digital Media Services, Inc., CN=s2.wpc.edgecastcdn.net
SSL_write: GET /root-anchors/root-anchors.p7s HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.5.10
SSL_write:
header: 'HTTP/1.1 200 OK'
header: 'Accept-Ranges: bytes'
header: 'Cache-Control: max-age=86400'
header: 'Content-Type: application/pkcs7-signature'
header: 'Date: Sat, 13 Oct 2018 07:14:36 GMT'
header: 'Etag: "fff-54794f6820000"'
header: 'Expires: Sun, 14 Oct 2018 07:14:36 GMT'
header: 'Last-Modified: Fri, 03 Feb 2017 00:00:00 GMT'
header: 'Server: ECAcc (nya/79A2)'
header: 'Strict-Transport-Security: max-age=48211200; preload'
header: 'X-Cache: HIT'
header: 'X-Frame-Options: SAMEORIGIN'
header: 'Content-Length: 4095'
at 0/4095
read 4095 data
fetched root-anchors/root-anchors.p7s (4095 bytes)
parsed the PKCS7 signature
setup the X509_STORE
signer 0: Subject: /O=ICANN/CN=dnssec@iana.org/emailAddress=dnssec@iana.org
the PKCS7 signature verified
XML was parsed successfully, 2 keys
success: the anchor has been updated using the cert

Now I see that this files is updated frequently without my manual intervention,
every minute or so, but it still contains only old KSK and shows

;;last_success: 1451318744 ;;Mon Dec 28 23:05:44 2015