Bug 2322697

Summary: Make possible disabling retrieval of root zone without change of configuration file
Product: [Fedora] Fedora Reporter: Tomas Korbar <tkorbar>
Component: unboundAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: paul.wouters, pemensik, pj.pandit
Target Milestone: ---Keywords: RFE
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: unbound-1.22.0-8.fc42 unbound-1.22.0-8.fc41 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-11-21 09:47:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Korbar 2024-10-30 10:14:52 UTC 
Hi,
Please provide a way how to set up Unbound service (sysconfig file, service drop-in file, ability to disable previously configured auth-zone in included configuration file) so it does not try to retrieve root zone from any root server.

For example: As a user in controlled environment i want to use Unbound for forwarding my queries to a set of DNS servers, without contacting any other server and having to change default configuration file.

Acceptance criteria

After recommended steps, unbound does not retrieve root zone from any root server on start up, without need to change the shipped configuration file.


Reproducible: Always

Steps to Reproduce:
1. Configure Unbound to forward all queries to a certain DNS server
2. Set up tcpdump to listen for DNS communication (tcpdump -nn -i <network_interface>"not host <upstream_dns_server> and (port 853 or port 53 or port 453)")
3. Start unbound and verify that tcpdump did not catch any DNS communication
Actual Results:  
15:31:40.455841 IP 192.168.6.2.60252 > 192.0.32.132.53: 20469 SOA? . (17)
15:31:40.556082 IP 192.168.6.2.60252 > 192.0.32.132.53: 20469 SOA? . (17)
15:31:40.852912 IP 192.168.6.2.58791 > 192.0.32.132.53: 22248 SOA? . (17)
15:31:40.953107 IP 192.168.6.2.58791 > 192.0.32.132.53: 22248 SOA? . (17)
15:31:41.153467 IP 192.168.6.2.58791 > 192.0.32.132.53: 22248 SOA? . (17)
15:31:41.554035 IP 192.168.6.2.58791 > 192.0.32.132.53: 22248 SOA? . (17)
15:31:42.355013 IP 192.168.6.2.58791 > 192.0.32.132.53: 22248 SOA? . (17)
15:31:43.956824 IP 192.168.6.2.44922 > 192.0.47.132.53: 46144 SOA? . (17)
15:31:44.057074 IP 192.168.6.2.44922 > 192.0.47.132.53: 46144 SOA? . (17)
15:31:44.257120 IP 192.168.6.2.44922 > 192.0.47.132.53: 46144 SOA? . (17)
15:31:44.656938 IP 192.168.6.2.44922 > 192.0.47.132.53: 46144 SOA? . (17)
15:31:45.457886 IP 192.168.6.2.44922 > 192.0.47.132.53: 46144 SOA? . (17)
15:31:47.059681 IP 192.168.6.2.44318 > 193.0.14.129.53: 30386 SOA? . (17)
15:31:47.159811 IP 192.168.6.2.44318 > 193.0.14.129.53: 30386 SOA? . (17)
15:31:47.360075 IP 192.168.6.2.44318 > 193.0.14.129.53: 30386 SOA? . (17)
15:31:47.760562 IP 192.168.6.2.44318 > 193.0.14.129.53: 30386 SOA? . (17)
15:31:48.561498 IP 192.168.6.2.44318 > 193.0.14.129.53: 30386 SOA? . (17)
15:31:50.163285 IP 192.168.6.2.60318 > 192.112.36.4.53: 20809 SOA? . (17)
15:31:50.263492 IP 192.168.6.2.60318 > 192.112.36.4.53: 20809 SOA? . (17)
15:31:50.463815 IP 192.168.6.2.60318 > 192.112.36.4.53: 20809 SOA? . (17)
15:31:50.864359 IP 192.168.6.2.60318 > 192.112.36.4.53: 20809 SOA? . (17)


Expected Results:  
No communication is logged
Comment 1 Petr Menšík 2024-11-11 15:02:26 UTC 
This is a problem with accepting custom TLD zones like .lan, .internal and such. The problem is not about SOA queries to ".", that is just less important manifest. But I think unwanted too.

What we do in dnsconfd is using forward definitions for those custom zones, not existing in normal DNS tree. Problem with authoritative data on client is any redirection via forwarding has lower priority. If authoritative copy of root zone is on the same instance, all forward definitions will get ignored. No matter whether forwarded via configuration file or via unbound-control forward_add. It just prevents using forwarders.

I also think downloading root copy is okay for network-wide resolvers, but we want unbound used *also* as localhost DNS cache. I doubt root operators would approve downloading root zone to every laptop and periodic maintenance for the zone. We haven't found simple way to disable local copy when uncommented in default config.

It seems to me we should ship our downstream defaults in /usr/share/unbound directory, in spirit with uapi-group spec:
https://github.com/uapi-group/specifications/blob/main/specs/configuration_files_specification.md

From there it might be included from /etc/unbound/unbound.conf. Just commenting out single include might allow omitting some defaults, like this one.

Something like generating:
/usr/share/unbound/conf.d/local-root.conf - authoritative root zone copy, used for whole network. Could have an own subpackage this way. Maybe unbound-network-resolver?
/usr/share/unbound/conf.d/private-networks.conf - insecure-domains for lan, test, internal and similar known domains. Suitable for unbound, which should forward even private queries to local network resolver. Maybe unbound-local-resolver?
/usr/share/unbound/conf.d/fedora.conf - Customized unbound defaults, which we use in general. Instead of patching multiple times example config file, just move only our modifications to common file.

Advantage of /usr/share config files it makes clear distinction what file is supposed to be maintained by distribution vendor. /etc/unbound would be just user-specific.

In /etc/unbound/unbound.conf, we would just put:
include: "/usr/share/unbound/conf.d/*.conf"
include: "/etc/unbound/conf.d/*.conf

What would you think about such solution? We do not know how the user wants to use unbound, but could prepare a recommended set for usage as network-wide resolver and another for localhost defaults.

Problem is systemd and libeconf implement /etc/ preference if the same named file exists also in /etc/, as well as in /usr/share. I do not think something similar is possible with unbound directly. Workaround might be symlink put into /etc/unbound/conf.d/$CONF.conf, leading to /usr/share/unbound/conf.d/$CONF.conf. User deleting symlink and replacing it with empty or custom file would deactivate that config. That seems best we can do with existing unbound features.

Paul, would you have better idea how to solve provided defaults, which can be user overriden?
Comment 2 Petr Menšík 2024-11-15 09:15:01 UTC 
Prepared PR: https://src.fedoraproject.org/rpms/unbound/pull-request/17#

That creates separate 2 files:
- unbound-as112-networks.conf - helper to easily forward all private addresses from your unbound. Useful when it acts as localhost resolver only and you are using internal private resolver. Which should handle all private ranges, home.arpa zone etc.
- unbound-local-root.conf - this contains uncommented local root auth zone definition. It would be disabled by default, but can be easily enabled.

To enable some of those, just:
cd /etc/unbound/conf.d/ && ln -rs /usr/share/unbound/conf.d/unbound-local-root.conf
Comment 3 Petr Menšík 2024-11-15 09:16:20 UTC 
I propose to have unbound-local-root.conf used on network-wide resolver, but instead unbound-as112-networks.conf on localhost resolvers. Because we do not know how the user wants it used, we can only make his decision simpler.
Comment 4 Fedora Update System 2024-11-19 19:53:34 UTC 
FEDORA-2024-8bb71c1fd7 (unbound-1.22.0-7.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-8bb71c1fd7
Comment 5 Fedora Update System 2024-11-19 20:07:51 UTC 
FEDORA-2024-aecc7c321e (unbound-1.22.0-7.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-aecc7c321e
Comment 6 Fedora Update System 2024-11-20 17:13:25 UTC 
FEDORA-2024-aecc7c321e has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-aecc7c321e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-aecc7c321e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2024-11-21 07:53:20 UTC 
FEDORA-2024-deb9b3f394 (unbound-1.22.0-8.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-deb9b3f394
Comment 8 Fedora Update System 2024-11-21 09:47:30 UTC 
FEDORA-2024-deb9b3f394 (unbound-1.22.0-8.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2024-11-23 04:36:37 UTC 
FEDORA-2024-aecc7c321e has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-aecc7c321e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-aecc7c321e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2024-11-25 01:55:22 UTC 
FEDORA-2024-aecc7c321e (unbound-1.22.0-8.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Red Hat Bugzilla 2025-03-26 04:26:25 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days