Date: Thu, 08 Jan 2026 14:59:24 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 292275] local-unbound broke after updating to 15.0 Message-ID: <bug-292275-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292275 Bug ID: 292275 Summary: local-unbound broke after updating to 15.0 Product: Base System Version: 15.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: jhb@FreeBSD.org At some point in the past I had enabled local-unbound as a caching resolver on my desktop. I don't quite know which version of FreeBSD I was running when I originally did this. Likely a decade ago? Anyway, after upgrading from 14.3-STABLE to 15.0-STABLE this week, it did not work after rebooting into the new world. The first error I encountered contained: SSL routines:SSL_CTX_use_certificate:ee key too small (I don't have the full error anymore unfortunately) I attempted to resolve this by running `sh /etc/rc.d/local_unbound setup` to regenerate new keys. This did allow local-unbound to start, however, it failed all queries with `SERVFAIL`. I did see these message in /var/log/debug when it started: Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] notice: init module 0: validator Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] notice: init module 1: iterator Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: start of service (unbound 1.24.1). Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query _ta-4a5c. NULL IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query _ta-4a5c. NULL IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query _ta-4a5c. NULL IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query _ta-4a5c. NULL IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query _ta-4a5c. NULL IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query _ta-4a5c. NULL IN Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN Looking back before the upgrade, only the first two lines were logged during startup. I don't expect that the host's time was wrong as it regularly runs ntpd (it wasn't post-update since DNS was broken), and it's hard to imagine that it jumped by a significant portion during the minute or so it took to reboot. At this point I disabled local-unbound, but I still have the /etc/unbound files around in case there is anything helpful from there. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-292275-227>