This happens often when used forwarder filters out DNSSEC records like RRSIG.
If you are not using forwarders, someone on your connection might intercept those queries and answer them instead of root servers, without proper signatures. If that were the case, you should not use such connection. Try command "dig +dnssec @a.root-servers.net | grep RRSIG" for any root server you want to check. It should always deliver RRSIG. root-servers.net should not have DNSKEY, they are unsigned. That is okay. Ensure you have dnskey query working: unbound-host -rvD -t dnskey . that should report (secure) for all queries. On 5/1/22 20:43, dy1977--- via Unbound-users wrote: > Hello > > I am facing a sudden problem on several devices : > > lists of errors in Unboud log : > > info: generate keytag query _ta-4f66. NULL IN > info: failed to prime trust anchor -- could not fetch DNSKEY rrset . > DNSKEY IN > > 100 lines of that, around 10 times the first line, and 90 times the > second. > > and after that : > > info: validation failure <e.root-servers.net. A IN>: no DNSKEY rrset > from 192.36.148.17 and 192.36.148.17 and (...) for trust anchor . > while building chain of trust > > and this repeated for b.root..., c.root... and so on. > > At the place where I wrote (...) a list of Ip addresses, which can be > the same address repeated up to 25 times, or different addresses, some > repeated and others no. > > Sometimes using unbound-anchor seemed to fix the problem, other times > no. The command is successful, but the messages still appear. > > These errors appear suddenly for un unknown reason. > > I saw in a PfSense forum that this may come from having dnssec anb > forwarding at the same time. But forwarding is not used here. > > Any clue to understand would be appreciated. > > Thanks > > Dysmas > > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
