LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-16-2017, 05:20 AM   #1
chtsalid
Member
 
Registered: Jan 2017
Posts: 67

Rep: Reputation: Disabled
unbound: [3958:1] info: validation failure google.com. A IN


Hi,

I am receiving the following logs by unbound.

Feb 16 09:50:34 rh2 unbound: [3958:0] info: start of service (unbound 1.4.20).
Feb 16 09:50:37 rh2 unbound: [3958:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Feb 16 09:50:37 rh2 unbound: [3958:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Feb 16 09:50:37 rh2 unbound: [3958:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Feb 16 09:50:37 rh2 unbound: [3958:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Feb 16 09:50:37 rh2 unbound: [3958:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Feb 16 09:50:37 rh2 unbound: [3958:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Feb 16 09:50:37 rh2 unbound: [3958:1] info: validation failure google.com. A IN

How can I add in DNS anchor chain the google domain, so that answeres are not rejected?

For the moment I configured domain-insecure: "google.com"

My topology is as following

Internet-----Windows 10-----VMware(Centos7)(IPA Server, DNS Service, 8.8.8.8 forwarder)----KVM----Host(unbound).

Many thanks!
 
Old 02-16-2017, 04:44 PM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
bash-4.3# dig google.com SOA +dnssec

; <<>> DiG 9.10.4-P4 <<>> google.com SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7100
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;google.com. IN SOA

;; ANSWER SECTION:
google.com. 60 IN SOA ns2.google.com. dns-admin.google.com. 147714723 900 900 1800 60

;; Query time: 22 msec
;; SERVER: 68.105.28.11#53(68.105.28.11)
;; WHEN: Thu Feb 16 16:41:19 EST 2017
;; MSG SIZE rcvd: 89
Doesn't look like a problem with google...
Unbound is not a DNS solution I'm familiar with however, a quick review of the manual suggests your issue might be related to a failure of the certificate on the node running unbound rather than google.
See: Unbound DNSSEC: Howto obtain an initial anchor

Last edited by dijetlo; 02-16-2017 at 04:46 PM. Reason: Grammar, who realized that was important in third grade?????
 
1 members found this post helpful.
Old 02-17-2017, 01:40 PM   #3
chtsalid
Member
 
Registered: Jan 2017
Posts: 67

Original Poster
Rep: Reputation: Disabled
Hi,

thank you for your answer. What I don't understand, is the following...

when as forwarding address of unbound is the google dns, it passes the security check

[root@rh2 unbound]# cat /etc/unbound/unbound.conf |grep forward-addr
forward-addr: 8.8.8.8
# forward-addr: 192.0.2.73@5355 # forward to port 5355.

[root@rh2 unbound]# dig google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46186
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 299 IN A 216.58.211.14

;; Query time: 88 msec
;; SERVER: 192.168.122.2#53(192.168.122.2)
;; WHEN: Fri Feb 17 17:02:18 CET 2017
;; MSG SIZE rcvd: 55



when as forwarding address, my dns server is configured, it doesn't work. Ok this makes sense. It is due to DNSSEC.

[root@rh2 unbound]# cat /etc/unbound/unbound.conf |grep forward-addr
forward-addr: 192.168.122.1
# forward-addr: 192.0.2.73@5355 # forward to port 5355.

[root@rh2 unbound]# dig google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53431
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A

;; Query time: 44 msec
;; SERVER: 192.168.122.2#53(192.168.122.2)
;; WHEN: Fri Feb 17 17:06:34 CET 2017
;; MSG SIZE rcvd: 39


but when I set the domain of my server as domain-insecure, in unbound config, why it still does not work?

[root@rh2 unbound]# cat /etc/unbound/unbound.conf |grep domain-insecure
domain-insecure: "lab.local"
[root@rh2 unbound]# dig google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A

;; Query time: 21 msec
;; SERVER: 192.168.122.2#53(192.168.122.2)
;; WHEN: Fri Feb 17 17:10:19 CET 2017
;; MSG SIZE rcvd: 39


Many thanks!
 
Old 02-18-2017, 01:15 AM   #4
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
I think you have to create a primary anchor (think "chain of trust") for you to validate information for ~any~ other domain. Marking yourself as insecure (don't use DNSSEC when querying for yourself) doesn't change that the DNSSEC functionality can't be leveraged in any manner since it lacks an anchor for the chain of trust (that would be my guess, at least).
The software appears to come with the facility to self-generate a valid primary anchor and to be honest I'm curious to find out if I know what I'm talking about....

 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[INFO] Bidding farewell to Google Code Didier Spaier Slackware 1 03-13-2015 08:05 PM
Fedora11, rescue partition (info) after installation failure scmbg Linux - Software 9 07-28-2009 06:32 PM
Info pages failure kAyOw Slackware 2 07-21-2004 07:13 PM
failure loading or saving config info for rhn-applet strimp099 Linux - General 0 05-25-2004 12:30 AM
Google+Miserable Failure=? r_jensen11 General 12 12-14-2003 04:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration