From owner-freebsd-pkg@freebsd.org  Sat May  1 23:23:13 2021
Return-Path: <owner-freebsd-pkg@freebsd.org>
Delivered-To: freebsd-pkg@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A434463C149
 for <freebsd-pkg@mailman.nyi.freebsd.org>;
 Sat,  1 May 2021 23:23:13 +0000 (UTC) (envelope-from zi@freebsd.org)
Received: from exodus.zi0r.com (exodus.zi0r.com [71.179.14.195])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "exodus.zi0r.com", Issuer "Gandi Standard SSL CA 2" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FXlf94Dwcz3Hlh;
 Sat,  1 May 2021 23:23:13 +0000 (UTC) (envelope-from zi@freebsd.org)
Received: from exodus.zi0r.com (syn.zi0r.com [71.179.14.194])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by exodus.zi0r.com (Postfix) with ESMTPSA id 1398E6A8A81;
 Sat,  1 May 2021 19:23:12 -0400 (EDT)
Date: Sat, 1 May 2021 19:23:11 -0400
From: Ryan Steinmetz <zi@freebsd.org>
To: Rainer Duffner <rainer@ultra-secure.de>
Cc: patrick.prugger@uname.at, freebsd-pkg@freebsd.org, dnsadm@freebsd.org
Subject: Re: DNSSEC Errors on geo.freebsd.org
Message-ID: <YI3i3w2nEmF0So/c@exodus.zi0r.com>
References: <0a0c01d73ece$22f1dc60$68d59520$@uname.at>
 <CD0CA45E-A45D-4103-8AF3-A9759C079BE1@ultra-secure.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <CD0CA45E-A45D-4103-8AF3-A9759C079BE1@ultra-secure.de>
X-Rspamd-Queue-Id: 4FXlf94Dwcz3Hlh
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-BeenThere: freebsd-pkg@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Binary package management and package tools discussion
 <freebsd-pkg.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pkg/>
List-Post: <mailto:freebsd-pkg@freebsd.org>
List-Help: <mailto:freebsd-pkg-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pkg>,
 <mailto:freebsd-pkg-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 01 May 2021 23:23:13 -0000


On (05/02/21 01:05), Rainer Duffner wrote:
>
>
>> Am 01.05.2021 um 23:08 schrieb patrick.prugger--- via freebsd-pkg <freebsd-pkg@freebsd.org>:
>>
>> Hello everyone!
>>
>> I just turned on DNSSEC validation on my DNS and it came to my eye that pkg
>> now doesn't work anymore.
>> Pkg is trying to access http://pkgmir.geo.freebsd.org/ to download de
>> repository catalogue.
>>
>> Unfortunately it seems freebsd.org is signed with DNSSEC, but
>> geo.freebsd.org isn't which leads to a DNSSEC error, broken chain of trust.
>> For a diagram look here:
>> https://dnsviz.net/d/pkgmir.geo.freebsd.org/dnssec/
>>

There's no error here and this host does indeed work fine with a 
validating recursive resolver.

geo.freebsd.org is delegated to a separate set of nameservers which 
handle geo-based replies.  DNSSEC is intentionally not present on the 
zone as the software that responds with dynamic replies and does not 
currently support signing those.

You should investigate your setup a bit more.

-r

>> Does anyone here have a contact to the maintainers of the freebsd.org DNS
>> zone?
>>
>
>https://www.freebsd.org/administration/#t-dnsadm
>
>
>

-- 
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228  EDC6 1EF8 BA6B D028 46D7