Bug 1922448

Summary: [RFE] Allow disabling unbound-anchor during startup
Product: Red Hat Enterprise Linux 8 Reporter: Husam Ahmed Chaudhary <huchaudh>
Component: unboundAssignee: aegorenk
Status: CLOSED ERRATA QA Contact: FrantiĊĦek Hrdina <fhrdina>
Severity: low Docs Contact:
Priority: unspecified    
Version: 8.3CC: aegorenk, jorton, peter.vreman, rickatnight11, sbalasub
Target Milestone: rcKeywords: AutoVerified, FutureFeature, Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: unbound-1.7.3-16.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1951923 (view as bug list) Environment:
Last Closed: 2021-11-09 18:05:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1951923    

Description Husam Ahmed Chaudhary 2021-01-29 18:14:50 UTC 
Description of problem :

For a DNS Caching only mode of unbound-anchor is not mandatory. In an internal DNS setup without perfect DNSSEC the unbound-anchor connects to the internet for the root servers on port 53. 

These Internet connecting requests show up in the Firewall for every server and is a security risk.

Request :

In unbound.service systemd unit add support for an environment variable DISABLE_UNBOUND_ANCHOR set in /etc/sysconfig/unbound that would then conditionally disable the current pre-start line.

~~~
ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
~~~

This is similar code that already exists in the bind package provided named unit that already supports disabling the check_conf line using DISABLE_ZONE_CHECKING

Example :

~~~~
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
~~~~
Comment 6 Rick White 2021-04-20 18:56:52 UTC 
I ran into the same situation in an environment where DNSSEC is not supported, so `unbound.service` spends upwards of 20s on each start/restart unnecessarily running `unbound-anchor` while DNS requests are not served.

The workaround I came up with is to just override the systemd unit to remove that `ExecStartPre` line.  This can be done by setting the following in `/etc/systemd/system/unbound.service.d/override.conf`:

```
[Service]
ExecStartPre=
ExecStartPre=/usr/sbin/unbound-checkconf
```

...then running `systemctl daemon-reload`.  The second line blanks out the `ExecStartPre` directives set in the RPM-managed unit file, and the second line restores the config check that you DO still want to run.
Comment 16 errata-xmlrpc 2021-11-09 18:05:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (unbound bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4194