Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unbound: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN

    General pfSense Questions
    3
    9
    525
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ray123 last edited by

      Hi

      Suddenly I could not contact pfSense's DNS resolver (unbound) anymore. Restarting pfSense and/or restarting the unbound service did not help.

      I then ran clog -f /var/log/resolver.log and could see the following lines repeating over and over again:

      Apr  9 14:59:59 firewall unbound: [57899:0] info: generate keytag query _ta-4f66. NULL IN
      Apr  9 14:59:59 firewall unbound: [57899:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
      

      I then remembered that I had DNSSec support enabled in the DNS resolver. I turned it off and voilà, DNS lookups were again possible.

      Of course this should be a temporary solution, since I would like to enable DNSSec support again.
      What can I do to solve this issue?

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Your actually "resolving" - or did you setup dot or forwarding mode in unbound?

        1 Reply Last reply Reply Quote 0
        • R
          ray123 last edited by

          Well, that was it I guess. I just realized that forwarding mode was enabled, which, according to the docs (https://docs.netgate.com/pfsense/en/latest/dns/unbound-dns-resolver.html) is recommended to be disabled when using DNSSEC.
          Turning off the forwarding mode and enabling DNSSEC seems to reply dns queries again.

          I probably would have wished a less cryptic error message and/or disabling the forwarding mode in the UI when DNSSEC was enabled.

          Thank you for pointing me in the right direction.

          => Solved

          1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan last edited by

            @ray123 said in Unbound: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN:

            failed to prime trust anchor -- could not fetch DNSKEY rrset

            pfSense version ?

            Is the pfSense system time and zone ok ??

            R 1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by johnpoz

              Not sure how pfsense is suppose to make an applications errors easier to read for the user? Unbound is a just a application that pfsense is using and has created a gui to manage it with.. Other than the user having to edit the conf files directly, etc.

              Its still the application, and understanding how it works and what it does would be up to the user..

              What the user should prob do is not touch shit they are not clear on how or what its doing ;) Out of the box pfsense would resolve and user really has zero to do for fully functional dns with dnssec out of the box.

              What should happen is when you switch to forwarder mode - the gui should auto disable dnssec, since its utterly pointless to have those dnssec settings when your forwarding.. It never makes sense to do such a thing.

              But keeping the user from shooting themselves is a never ending battle ;) You can put the gun on safe, you can have it locked up in a safe, with a trigger lock even. And the bullets in another safe - and still the user manages to blow off their little toe, which clearly is the guns fault ;) heheheh

              Gertjan 1 Reply Last reply Reply Quote 0
              • Gertjan
                Gertjan @johnpoz last edited by

                @johnpoz said in Unbound: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN:

                the gui should auto disable dnssec, since its utterly pointless to have those dnssec settings when your forwarding.

                Ah !!!
                A @johnpoz pull request is coming up ?!!

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  Are you writing one? I have no issues with how everything currently setup.. I don't really care for user proofing to be honest ;) It always a never ending battle that the user will still find a way to shoot themselves - heheh

                  But sure if your going to try and user proof it, disabling dnssec when forwarding mode is selected would be a good choice..

                  1 Reply Last reply Reply Quote 0
                  • R
                    ray123 @Gertjan last edited by

                    @Gertjan
                    pfSense 2.4.5 and time + timezone is correct.

                    @johnpoz
                    I mostly agree with what you say. I especially agree that it is up to the user to get informed how the stuff works. If one wants to enable DNSSEC one should clearly disable the forwarding mode. The mistake here is on my side and not on pfSense. I must have enabled forwarding mode by mistake, since that was not my intention at all.

                    So much to that.

                    However:
                    I still believe the wording in the options is improvable. The option to enable DNSSEC mentions the word "support" ("Enable DNSSEC Support" to be precise). It does not mention that enabling that support disables support for regular queries (If that's even correct?) as a fallback when dnssec is unavailable (due to misconfiguration like in my case). Probably it is a translation error on my side, since english isn't my first language and I have a different understanding what "support" means. My understanding was that pfSense/unbound will use DNSSEC if available and not use it when it is not available (due to whatever reasons).
                    Of course, one can always consult the documentations to read how it works (but even there, it says that it is "recommended" to disable forwarding mode and not that it is mandatory :-)).

                    But as you said yourself, this is a neverending story and users (like me) always find a way to shoot themselves :-) So, all good on my side.

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by johnpoz

                      @ray123 said in Unbound: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN:

                      nabling that support disables support for regular queries (If that's even correct?

                      No enabling dnssec does not disable normal non dnssec - the vast majority of the internet is not dnssec signed.. Is a sad state of affairs to be honest..

                      While the % of signed tlds is pretty good.. The percent of total domains is not...

                      edit: Here is the site I was looking for!!!
                      https://rick.eng.br/dnssecstat/

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense Plus
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy