Failed to prime trust anchor



  • When I check DNSSEC option in dns resolver I see the following log message and nslookup returns SERVFAIL. Only happens on one particular pfsense. Other than uncheck DNSSEC, how to fix?

    pfSense unbound: [48351:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN



  • Anybody have encountered this issue? I Also experienced this when enabling DNSSEC.



  • I get the same error when I check/start : "Enable Forwarding Mode" in the DNS Resolver page.

    AND then DNS queries from the client do not resolve.  (Still can successfully Diagnostics: DNS Lookup from pfSense box.)

    I get several of this same messages in Status:System Logs: Resolver:

    unbound: [28250:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN

    Running v. 2.2.5 on SG-2440
    General Setup: DNS: (openDNS servers: 208.67.222.222, 208.67.220.220)
    *

    Todd


  • Banned

    @ToddCsense:

    unbound: [28250:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
    General Setup: DNS: (openDNS servers: 208.67.222.222, 208.67.220.220)

    Stop forwarding to DNS servers that do not understand DNSSEC. Or disable DNSSEC.



  • Right, I was just coming back to edit my earlier post as I just read (https://doc.pfsense.org/index.php/Unbound_DNS_Resolver):

    "Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support."

    So I assume that OpenDNS has some other kind of DNS security other than DNSSEC and that is why I am getting the errors in the log.

    Thanks,

    Todd


  • Banned

    OpenDNS has been anti-DNSSEC for ages and stuck with their own wheel re-invention (typical DJBware). So yeah, they are just unusable for DNSSEC.


Log in to reply