Bug 1598078

Summary: Unbound-anchor RFC 5011 root keys update does not work without direct root server query
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: unboundAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: pemensik, pj.pandit, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: unbound-1.7.3-3.fc28 unbound-1.7.3-3.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-11 20:20:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Menšík 2018-07-04 09:54:58 UTC 
Description of problem:
Periodic timer of unbound-anchor is running to maintain root trust anchor daily. However it requires direct connection to root servers, it would never try local forwarders. If that machine is running in environment with restricted direct connection to both DNS servers and HTTPS at data.iana.org, RFC 5011 would not work.

Version-Release number of selected component (if applicable):
unbound-0:1.6.0-6.fc25.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Block access to all DNS servers but your forwarders.
2. Block HTTPS connection to data.iana.org.
3. systemctl start unbound-anchor

Actual results:
/var/lib/unbound/root.key is not modified
systemctl status unbound-anchor shows failed
local DNS server is never tried

Expected results:
/var/lib/unbound/root.key is modified with update timestamp
local DNS server is checked for DNSSEC support first


Additional info:
I think it should prefer local DNS server and only try direct root query if it fails. It can delay new key fetch by local DNS server cache. It will reduce load of root servers. It will work on intranets without direct access to the Internet if local forwarders support DNSSEC.
Comment 1 Petr Menšík 2018-07-04 10:37:31 UTC 
Tracked on upstream as https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4112
Comment 2 Fedora Update System 2018-07-04 11:53:09 UTC 
unbound-1.7.3-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2be76af59f
Comment 3 Fedora Update System 2018-07-04 12:41:42 UTC 
unbound-1.7.3-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3326fc0232
Comment 4 Fedora Update System 2018-07-04 16:23:46 UTC 
unbound-1.7.3-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3326fc0232
Comment 5 Fedora Update System 2018-07-04 18:22:42 UTC 
unbound-1.7.3-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2be76af59f
Comment 6 Fedora Update System 2018-07-11 20:20:48 UTC 
unbound-1.7.3-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2018-07-31 17:10:02 UTC 
unbound-1.7.3-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.