DNS not working after update to 2.4.5-RELEASE-p1

MarekAndreansky

Can't resolve any hostnames, tried turning forwarding on and off without any effect.

Which logs would help in troubleshooting?

The DNS resolver logs show

"info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN"

I have pfBlockerNG installed as well, tried disabling but that did not help.

MarekAndreansky

Disabling DNSSEC Support in DNS Resolver / General Settings did allow me to resolve dns.

But am surprised this broke after the update.

marcnarc

My DNS just stopped working a couple of hours ago. I'm on plain 2.4.5, using the DNS Resolver, and I had DNSSEC enabled. This has been working fine for months.

It looks like a recent update of the /var/unbound/root.key file maybe made things ooky?

[2.4.5-RELEASE][root@mirage.home]/var/unbound: unbound-host -C /var/unbound/unbound.conf -t A google.com
[1592681234] libunbound[71916:0] notice: init module 0: validator
[1592681234] libunbound[71916:0] error: unable to open /root.key for reading: No such file or directory
[1592681234] libunbound[71916:0] error: error reading auto-trust-anchor-file: /var/unbound/root.key
[1592681234] libunbound[71916:0] error: validator: error in trustanchors config
[1592681234] libunbound[71916:0] error: validator: could not apply configuration settings.
[1592681234] libunbound[71916:0] error: module init for module validator failed
resolve error: initialization failure

I tried deleting the file and restarting unbound (which re-creates the file) but no luck. While in this state, the unbound process was chewing up the CPU, and my state table was full.

The bad root.key file is (I have no idea if this is truly bad or not):

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1592677389 ;;Sat Jun 20 14:23:09 2020
;;last_success: 1592677389 ;;Sat Jun 20 14:23:09 2020
;;next_probe_time: 1592719788 ;;Sun Jun 21 02:09:48 2020
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.       86400   IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1592144646 ;;Sun Jun 14 10:24:06 2020

Things only started working again when I disabled DNSSEC. (Or when I enabled Forwarding Mode, but I prefer to do my own DNS resolution.)

Lovely way to spend a couple of hours on a sunny Saturday afternoon!

jward311

I'm glad I'm not the only one. I thought I was going crazy this morning. I applied the update a couple of days ago and all went fine. This morning after making one firewall rule change, I had issues resolving DNS. I use DNS-over-TLS and only when I toggled (Unchecked & saved - Rechecked & saved) the "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" under the DNS Resolver settings, did it start resolving properly. Very strange.