Unbound fails all queries [FTLDNS DNSSEC]

hairybiker · June 15, 2018, 8:34am

Trying to get unbound working with ftldns beta

Installed according to the guide Redirecting...
dig results

root@pihole:~# dig pi-hole.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45995
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;pi-hole.net. IN A

;; Query time: 653 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 09:23:29 BST 2018
;; MSG SIZE rcvd: 40

root@pihole:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9541
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A

;; Query time: 677 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 09:26:53 BST 2018
;; MSG SIZE rcvd: 55

root@pihole:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9541
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A

;; Query time: 677 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 09:26:53 BST 2018
;; MSG SIZE rcvd: 55

root@pihole:~# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9541
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net. IN A

;; Query time: 677 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 09:26:53 BST 2018
;; MSG SIZE rcvd: 55

So good queries are failing, looks like DNSSEC issue
Added a log file as suggested on another topic here

root@pihole:~# tail /var/log/unbound.log -f
[1529051004] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051005] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051006] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051007] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051008] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051009] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051208] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051209] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051210] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051211] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051212] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
[1529051213] unbound[10249:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN

config file

server:
logfile: /var/log/unbound.log
verbosity: 1
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"

# Trust glue only if it is within the servers authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines
num-threads: 1

# Ensure kernel buffer is large enough to not loose messages in traffic spikes
so-rcvbuf: 1m

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8

technicalpyro · June 15, 2018, 4:26pm

pi@raspberrypi:~ $ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19049
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 3568 IN     A       134.91.78.139

;; AUTHORITY SECTION:
verteiltesysteme.net.   3568    IN      NS      ns2.verteiltesysteme.net.
verteiltesysteme.net.   3568    IN      NS      ns1.verteiltesysteme.net.

;; ADDITIONAL SECTION:
ns1.verteiltesysteme.net. 3568  IN      A       134.91.78.139
ns1.verteiltesysteme.net. 3568  IN      AAAA    2001:638:501:8efc::139
ns2.verteiltesysteme.net. 3568  IN      A       134.91.78.141
ns2.verteiltesysteme.net. 3568  IN      AAAA    2001:638:501:8efc::141

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Fri Jun 15 16:25:08 UTC 2018
;; MSG SIZE  rcvd: 195

is what returns when i attempt the same thing

hairybiker · June 15, 2018, 4:53pm

Yes that is what it is MEANT to return, mine is broken.

technicalpyro · June 15, 2018, 4:55pm

did you do the optional step of retrieving and moving the root.hints file?

hairybiker · June 15, 2018, 4:56pm

Yes, and checked it was installed properly.

technicalpyro · June 15, 2018, 5:02pm

this is gonna sound crazy is your system date correct?

also this may have the info needed https://unbound.net/documentation/howto_anchor.html

hairybiker · June 15, 2018, 5:07pm

its running ntp so should be. WIll have a read at that.

hairybiker · June 15, 2018, 5:41pm

OK still erroring.
Unbound-anchor errors:

root@pihole:~# unbound-anchor -v -a /etc/unbound/root.key
/etc/unbound/root.key has content
fail: the anchor is NOT ok and could not be fixed

Beginning to wonder if it is the diet-pi subsystem that is at fault here. Not got time to rebuild it on raspberrian until I return from holiday.

technicalpyro · June 15, 2018, 5:45pm

I do not know what dietpi would be doing to this perhaps submit an issue on their github repo with the same info found here

hairybiker · June 15, 2018, 5:46pm

I'll put this on hold till I come back and rebuild the "server" with a raspberrian image and try again.

system · July 6, 2018, 5:46pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.