AW: DNSSEC Errors on geo.freebsd.org
patrick.prugger at uname.at
patrick.prugger at uname.at
Sun May 2 18:55:04 UTC 2021
Hello everyone!
After hours of debugging I found out it actually seems to be a bug in the
TLS interface of unbound 1.9.0.2
I just patched to unbound 1.13.1 from buster-backports and now it works.
Thanks for your help!
Best regards
Patrick Prugger
-----Ursprüngliche Nachricht-----
Von: Ryan Steinmetz <zi at freebsd.org>
Gesendet: Sonntag, 2. Mai 2021 01:23
An: Rainer Duffner <rainer at ultra-secure.de>
Cc: patrick.prugger at uname.at; freebsd-pkg at freebsd.org; dnsadm at freebsd.org
Betreff: Re: DNSSEC Errors on geo.freebsd.org
On (05/02/21 01:05), Rainer Duffner wrote:
>
>
>> Am 01.05.2021 um 23:08 schrieb patrick.prugger--- via freebsd-pkg
<freebsd-pkg at freebsd.org>:
>>
>> Hello everyone!
>>
>> I just turned on DNSSEC validation on my DNS and it came to my eye
>> that pkg now doesn't work anymore.
>> Pkg is trying to access http://pkgmir.geo.freebsd.org/ to download de
>> repository catalogue.
>>
>> Unfortunately it seems freebsd.org is signed with DNSSEC, but
>> geo.freebsd.org isn't which leads to a DNSSEC error, broken chain of
trust.
>> For a diagram look here:
>> https://dnsviz.net/d/pkgmir.geo.freebsd.org/dnssec/
>>
There's no error here and this host does indeed work fine with a validating
recursive resolver.
geo.freebsd.org is delegated to a separate set of nameservers which handle
geo-based replies. DNSSEC is intentionally not present on the zone as the
software that responds with dynamic replies and does not currently support
signing those.
You should investigate your setup a bit more.
-r
>> Does anyone here have a contact to the maintainers of the freebsd.org
>> DNS zone?
>>
>
>https://www.freebsd.org/administration/#t-dnsadm
>
>
>
--
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7
More information about the freebsd-pkg
mailing list