Fix failed to prime trust anchor — DNSKEY rrset is not secure . DNSKEY IN

After installing Unbound in a OpenWrt router, I noticed that afer a reboot, the DNS was not working. I saw many of these errors in the log:

failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

I have discovered that the system date was wrong. As this device lacks a hardware clock, when the machine boots, it cannot synchronize the time by NTP because there is no resolver (Unbound doesn’t start because the date validation of the ICANN certificate fails). It’s a chicken or the egg problem.

To solve this, I added in /etc/rc.local a manual synchronization against a IP of a NTP server:

/usr/sbin/ntpd -n -q -N -p 130.206.3.166

Another possible solution would be to hardcode the IP of some of your configured NTP servers in /etc/hosts

Advertisements

One thought on “Fix failed to prime trust anchor — DNSKEY rrset is not secure . DNSKEY IN”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s