Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Failed to prime trust anchor

    DHCP and DNS
    4
    6
    11617
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gjaltemba last edited by

      When I check DNSSEC option in dns resolver I see the following log message and nslookup returns SERVFAIL. Only happens on one particular pfsense. Other than uncheck DNSSEC, how to fix?

      pfSense unbound: [48351:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN

      1 Reply Last reply Reply Quote 0
      • V
        voxeljorz last edited by

        Anybody have encountered this issue? I Also experienced this when enabling DNSSEC.

        1 Reply Last reply Reply Quote 0
        • T
          ToddCsense last edited by

          I get the same error when I check/start : "Enable Forwarding Mode" in the DNS Resolver page.

          AND then DNS queries from the client do not resolve.  (Still can successfully Diagnostics: DNS Lookup from pfSense box.)

          I get several of this same messages in Status:System Logs: Resolver:

          unbound: [28250:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN

          Running v. 2.2.5 on SG-2440
          General Setup: DNS: (openDNS servers: 208.67.222.222, 208.67.220.220)
          *

          Todd

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            @ToddCsense:

            unbound: [28250:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
            General Setup: DNS: (openDNS servers: 208.67.222.222, 208.67.220.220)

            Stop forwarding to DNS servers that do not understand DNSSEC. Or disable DNSSEC.

            1 Reply Last reply Reply Quote 0
            • T
              ToddCsense last edited by

              Right, I was just coming back to edit my earlier post as I just read (https://doc.pfsense.org/index.php/Unbound_DNS_Resolver):

              "Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support."

              So I assume that OpenDNS has some other kind of DNS security other than DNSSEC and that is why I am getting the errors in the log.

              Thanks,

              Todd

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned last edited by

                OpenDNS has been anti-DNSSEC for ages and stuck with their own wheel re-invention (typical DJBware). So yeah, they are just unusable for DNSSEC.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post