Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1180267 - root key management does not comply with RFC5011
root key management does not comply with RFC5011
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: unbound (Show other bugs)
7.1
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomáš Hozza
qe-baseos-daemons
: EasyFix
Depends On: 1215645
Blocks: 1110700 1191021
  Show dependency treegraph
 
Reported: 2015-01-08 12:54 EST by Petr Spacek
Modified: 2015-12-07 07:30 EST (History)
6 users (show)

See Also:
Fixed In Version: unbound-1.4.20-26.el7
Doc Type: Bug Fix
Doc Text:
Prior to this update, there was a mistake in the time configuration in the cron job invoking unbound-anchor to update the root zone key. Consequently, unbound-anchor was invoked once a month instead of every day, thus not complying with RFC 5011. The cron job has been replaced with a systemd timer unit that is invoked on a daily basis. Now, the root zone key validity is checked daily at a random time within a 24-hour window, and compliance with RFC 5011 is ensured.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 09:46:10 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2455 normal SHIPPED_LIVE Low: unbound security and bug fix update 2015-11-19 06:44:17 EST

  None (edit)
Description Petr Spacek 2015-01-08 12:54:11 EST 
Description of problem:
unbound-anchor is not run in the right interval so our unbound package does not comply with RFC 5011:

http://tools.ietf.org/html/rfc5011#section-2.3 says:
   A resolver that has been configured for an automatic update of keys
   from a particular trust point MUST query that trust point (e.g., do a
   lookup for the DNSKEY RRSet and related RRSIG records) no less often
   than the lesser of 15 days, half the original TTL for the DNSKEY
   RRSet, or half the RRSIG expiration interval and no more often than
   once per hour.  The expiration interval is the amount of time from
   when the RRSIG was last retrieved until the expiration time in the
   RRSIG.  That is, queryInterval = MAX(1 hr, MIN (15 days, 1/2*OrigTTL,
   1/2*RRSigExpirationInterval))

Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. It means that unboud-anchor should be run at least once a day.

Currently, unbound-anchor is run once a month instead of once a day.

Version-Release number of selected component (if applicable):
unbound-1.4.20-19.el7

How reproducible:
100 %

Steps to Reproduce:
1. look at /etc/cron.d/unbound-anchor

Actual results:
Currently, unbound-anchor is run once a month instead of once a day.

Expected results:
Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. It means that unboud-anchor should be run at least once a day.


Additional info:
It might be better to convert cron job to systemd timer so it could get run once a day at random time. Currently it gets run at the very same time on all RHEL machines with the package. That could lead to spikes in network traffic ...
Comment 2 Tomáš Hozza 2015-01-09 03:54:23 EST 
Thank you for noticing this.
Comment 7 Tomáš Hozza 2015-08-10 11:14:51 EDT 
From engineering point of view, this bug can not be properly verified without Bug #1215645 being fixed first. The Bug #1215645 is hard blocker for this issue and if Bug #1215645 will not be fixed in 7.2, then this bug can not be releases as part of Unbound update.
Comment 14 Radka Skvarilova 2015-09-25 11:36:34 EDT 
with fix in redhat-release (server/client)
the unbound-anchor.timer is set even after reboot of system

# systemctl status unbound-anchor.timer
unbound-anchor.timer - daily update of the root trust anchor for DNSSEC
   Loaded: loaded (/usr/lib/systemd/system/unbound-anchor.timer; enabled)
   Active: active (waiting) since Fri 2015-09-25 11:29:21 EDT; 3min 40s ago
     Docs: man:unbound-anchor(8)

Sep 25 11:29:21 kvm-guest-03.rhts.eng.bos.redhat.com systemd[1]: Starting daily update of the root trust anchor ...EC.
Sep 25 11:29:21 kvm-guest-03.rhts.eng.bos.redhat.com systemd[1]: Started daily update of the root trust anchor f...EC.
Comment 15 errata-xmlrpc 2015-11-19 09:46:10 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2455.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.