RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1180267 - root key management does not comply with RFC5011
Summary: root key management does not comply with RFC5011
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: unbound
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomáš Hozza
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On: 1215645
Blocks: 1110700 1191021
TreeView+ depends on / blocked
 
Reported: 2015-01-08 17:54 UTC by Petr Spacek
Modified: 2015-12-07 12:30 UTC (History)
6 users (show)

Fixed In Version: unbound-1.4.20-26.el7
Doc Type: Bug Fix
Doc Text:
Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured.
Clone Of:
Environment:
Last Closed: 2015-11-19 14:46:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2455 0 normal SHIPPED_LIVE Low: unbound security and bug fix update 2015-11-19 11:44:17 UTC

Description Petr Spacek 2015-01-08 17:54:11 UTC 
Description of problem:
unbound-anchor is not run in the right interval so our unbound package does not comply with RFC 5011:

http://tools.ietf.org/html/rfc5011#section-2.3 says:
   A resolver that has been configured for an automatic update of keys
   from a particular trust point MUST query that trust point (e.g., do a
   lookup for the DNSKEY RRSet and related RRSIG records) no less often
   than the lesser of 15 days, half the original TTL for the DNSKEY
   RRSet, or half the RRSIG expiration interval and no more often than
   once per hour.  The expiration interval is the amount of time from
   when the RRSIG was last retrieved until the expiration time in the
   RRSIG.  That is, queryInterval = MAX(1 hr, MIN (15 days, 1/2*OrigTTL,
   1/2*RRSigExpirationInterval))

Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. It means that unboud-anchor should be run at least once a day.

Currently, unbound-anchor is run once a month instead of once a day.

Version-Release number of selected component (if applicable):
unbound-1.4.20-19.el7

How reproducible:
100 %

Steps to Reproduce:
1. look at /etc/cron.d/unbound-anchor

Actual results:
Currently, unbound-anchor is run once a month instead of once a day.

Expected results:
Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. It means that unboud-anchor should be run at least once a day.


Additional info:
It might be better to convert cron job to systemd timer so it could get run once a day at random time. Currently it gets run at the very same time on all RHEL machines with the package. That could lead to spikes in network traffic ...
Comment 2 Tomáš Hozza 2015-01-09 08:54:23 UTC 
Thank you for noticing this.
Comment 7 Tomáš Hozza 2015-08-10 15:14:51 UTC 
From engineering point of view, this bug can not be properly verified without Bug #1215645 being fixed first. The Bug #1215645 is hard blocker for this issue and if Bug #1215645 will not be fixed in 7.2, then this bug can not be releases as part of Unbound update.
Comment 14 Radka Brychtova 2015-09-25 15:36:34 UTC 
with fix in redhat-release (server/client)
the unbound-anchor.timer is set even after reboot of system

# systemctl status unbound-anchor.timer
unbound-anchor.timer - daily update of the root trust anchor for DNSSEC
   Loaded: loaded (/usr/lib/systemd/system/unbound-anchor.timer; enabled)
   Active: active (waiting) since Fri 2015-09-25 11:29:21 EDT; 3min 40s ago
     Docs: man:unbound-anchor(8)

Sep 25 11:29:21 kvm-guest-03.rhts.eng.bos.redhat.com systemd[1]: Starting daily update of the root trust anchor ...EC.
Sep 25 11:29:21 kvm-guest-03.rhts.eng.bos.redhat.com systemd[1]: Started daily update of the root trust anchor f...EC.
Comment 15 errata-xmlrpc 2015-11-19 14:46:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2455.html
Note You need to log in before you can comment on or make changes to this bug.