Failed to prime trust anchor
-
When I check DNSSEC option in dns resolver I see the following log message and nslookup returns SERVFAIL. Only happens on one particular pfsense. Other than uncheck DNSSEC, how to fix?
pfSense unbound: [48351:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
-
Anybody have encountered this issue? I Also experienced this when enabling DNSSEC.
-
I get the same error when I check/start : "Enable Forwarding Mode" in the DNS Resolver page.
AND then DNS queries from the client do not resolve. (Still can successfully Diagnostics: DNS Lookup from pfSense box.)
I get several of this same messages in Status:System Logs: Resolver:
unbound: [28250:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
Running v. 2.2.5 on SG-2440
General Setup: DNS: (openDNS servers: 208.67.222.222, 208.67.220.220)
*Todd
-
unbound: [28250:1] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
General Setup: DNS: (openDNS servers: 208.67.222.222, 208.67.220.220)Stop forwarding to DNS servers that do not understand DNSSEC. Or disable DNSSEC.
-
Right, I was just coming back to edit my earlier post as I just read (https://doc.pfsense.org/index.php/Unbound_DNS_Resolver):
"Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support."
So I assume that OpenDNS has some other kind of DNS security other than DNSSEC and that is why I am getting the errors in the log.
Thanks,
Todd
-
OpenDNS has been anti-DNSSEC for ages and stuck with their own wheel re-invention (typical DJBware). So yeah, they are just unusable for DNSSEC.