Bug 1180267

Summary: root key management does not comply with RFC5011
Product: Red Hat Enterprise Linux 7 Reporter: Petr Spacek <pspacek>
Component: unboundAssignee: Tomáš Hozza <thozza>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: emajorsi, jscotka, lmiksik, rskvaril, thozza, tomek
Target Milestone: rcKeywords: EasyFix
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: unbound-1.4.20-26.el7 Doc Type: Bug Fix
Doc Text:
Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 14:46:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1215645    
Bug Blocks: 1110700, 1191021    

Description Petr Spacek 2015-01-08 17:54:11 UTC 
Description of problem:
unbound-anchor is not run in the right interval so our unbound package does not comply with RFC 5011:

http://tools.ietf.org/html/rfc5011#section-2.3 says:
   A resolver that has been configured for an automatic update of keys
   from a particular trust point MUST query that trust point (e.g., do a
   lookup for the DNSKEY RRSet and related RRSIG records) no less often
   than the lesser of 15 days, half the original TTL for the DNSKEY
   RRSet, or half the RRSIG expiration interval and no more often than
   once per hour.  The expiration interval is the amount of time from
   when the RRSIG was last retrieved until the expiration time in the
   RRSIG.  That is, queryInterval = MAX(1 hr, MIN (15 days, 1/2*OrigTTL,
   1/2*RRSigExpirationInterval))

Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. It means that unboud-anchor should be run at least once a day.

Currently, unbound-anchor is run once a month instead of once a day.

Version-Release number of selected component (if applicable):
unbound-1.4.20-19.el7

How reproducible:
100 %

Steps to Reproduce:
1. look at /etc/cron.d/unbound-anchor

Actual results:
Currently, unbound-anchor is run once a month instead of once a day.

Expected results:
Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. It means that unboud-anchor should be run at least once a day.


Additional info:
It might be better to convert cron job to systemd timer so it could get run once a day at random time. Currently it gets run at the very same time on all RHEL machines with the package. That could lead to spikes in network traffic ...
Comment 2 Tomáš Hozza 2015-01-09 08:54:23 UTC 
Thank you for noticing this.
Comment 7 Tomáš Hozza 2015-08-10 15:14:51 UTC 
From engineering point of view, this bug can not be properly verified without Bug #1215645 being fixed first. The Bug #1215645 is hard blocker for this issue and if Bug #1215645 will not be fixed in 7.2, then this bug can not be releases as part of Unbound update.
Comment 14 Radka Brychtova 2015-09-25 15:36:34 UTC 
with fix in redhat-release (server/client)
the unbound-anchor.timer is set even after reboot of system

# systemctl status unbound-anchor.timer
unbound-anchor.timer - daily update of the root trust anchor for DNSSEC
   Loaded: loaded (/usr/lib/systemd/system/unbound-anchor.timer; enabled)
   Active: active (waiting) since Fri 2015-09-25 11:29:21 EDT; 3min 40s ago
     Docs: man:unbound-anchor(8)

Sep 25 11:29:21 kvm-guest-03.rhts.eng.bos.redhat.com systemd[1]: Starting daily update of the root trust anchor ...EC.
Sep 25 11:29:21 kvm-guest-03.rhts.eng.bos.redhat.com systemd[1]: Started daily update of the root trust anchor f...EC.
Comment 15 errata-xmlrpc 2015-11-19 14:46:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2455.html