[Unbound-users] DNSSec validation

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Wed Oct 3 08:49:42 UTC 2012


On Wed, Oct 3, 2012 at 10:16 AM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Nikos,
>> Hello, I'm trying to work with the DNSSec validation example in the
>> unbound tutorial [0]. My issue is that at some point it calls:
>> ub_ctx_add_ta_file() with a file called "keys" and that according
>> to the comment this is the "public keys for DNSSEC verification".
>> However what does that exactly mean? How do you obtain this list? I
>> have a high level  understanding of dnssec, and I'd expect that if
>> I set there the file /etc/unbound/root.key it should be able to
>> verify any domain, is that correct? (it doesn't seem to work)
>
> You need:
> ub_ctx_set_option(ctx, "auto-trust-anchor-file:",
> "/etc/unbound/root.key");
> because that file is in the 'auto-trust-anchor-file' format.

Thank you. I tried it, but in both cases I get the same error message:
Result is bogus: validation failure <www.nlnetlabs.nl. A IN>: no
signatures from 10.0.2.3 for trust anchor . while building chain of
trust

I increased debugging but I cannot really follow the log, which
contains entries like:
[1349253750] libunbound[3158:0] info: super is www.nlnetlabs.nl. A IN
[1349253750] libunbound[3158:0] info: autotrust process for . DNSKEY IN
[1349253750] libunbound[3158:0] debug: rrset failed to verify due to a
lack of signatures
[1349253750] libunbound[3158:0] debug: Failed to match any usable
anchor to a DNSKEY.
[1349253750] libunbound[3158:0] debug: autotrust: validate DNSKEY with
anchor: sec_status_bogus
[1349253750] libunbound[3158:0] debug: autotrust: dnskey did not verify.
[1349253750] libunbound[3158:0] debug: autotrust: write to disk: root.key.3158-0
[1349253750] libunbound[3158:0] debug: autotrust: replaced root.key
[1349253750] libunbound[3158:0] debug: rrset failed to verify due to a
lack of signatures
[1349253750] libunbound[3158:0] debug: Failed to match any usable
anchor to a DNSKEY.

regards,
Nikos



More information about the Unbound-users mailing list