https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292275
Bug ID: 292275
Summary: local-unbound broke after updating to 15.0
Product: Base System
Version: 15.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
At some point in the past I had enabled local-unbound as a caching resolver on
my desktop. I don't quite know which version of FreeBSD I was running when I
originally did this. Likely a decade ago? Anyway, after upgrading from
14.3-STABLE to 15.0-STABLE this week, it did not work after rebooting into the
new world.
The first error I encountered contained:
SSL routines:SSL_CTX_use_certificate:ee key too small
(I don't have the full error anymore unfortunately)
I attempted to resolve this by running `sh /etc/rc.d/local_unbound setup` to
regenerate new keys. This did allow local-unbound to start, however, it failed
all queries with `SERVFAIL`. I did see these message in /var/log/debug when it
started:
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] notice: init module 0:
validator
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] notice: init module 1:
iterator
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: start of service
(unbound 1.24.1).
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query
_ta-4a5c. NULL IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query
_ta-4a5c. NULL IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query
_ta-4a5c. NULL IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query
_ta-4a5c. NULL IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query
_ta-4a5c. NULL IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: generate keytag query
_ta-4a5c. NULL IN
Jan 7 21:17:42 ralph local-unbound[5982]: [5982:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN
Looking back before the upgrade, only the first two lines were logged during
startup. I don't expect that the host's time was wrong as it regularly runs
ntpd (it wasn't post-update since DNS was broken), and it's hard to imagine
that it jumped by a significant portion during the minute or so it took to
reboot.
At this point I disabled local-unbound, but I still have the /etc/unbound files
around in case there is anything helpful from there.
--
You are receiving this mail because:
You are the assignee for the bug.
