Bug 1457130 - Unbound-anchor RFC 5011 root keys update does not work without direct root server query
Summary: Unbound-anchor RFC 5011 root keys update does not work without direct root se...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: unbound
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Martin Osvald 🛹
QA Contact: qe-baseos-daemons
Depends On: 1456859
Blocks: 1457133
TreeView+ depends on / blocked
Reported: 2017-05-31 07:58 UTC by Petr Menšík
Modified: 2019-08-08 14:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1456859
: 1457133 (view as bug list)
Last Closed: 2019-08-08 14:50:15 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1598078 'unspecified' 'CLOSED' 'Unbound-anchor RFC 5011 root keys update does not work without direct root server query' 2019-11-18 08:23:52 UTC

Internal Links: 1598078

Description Petr Menšík 2017-05-31 07:58:54 UTC
+++ This bug was initially created as a clone of Bug #1456859 +++

Description of problem:
Periodic timer of unbound-anchor is running to maintain root trust anchor daily. However it requires direct connection to root servers, it would never try local forwarders. If that machine is running in environment with restricted direct connection to both DNS servers and HTTPS at data.iana.org, RFC 5011 would not work.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Block access to all DNS servers but your forwarders.
2. Block HTTPS connection to data.iana.org.
3. systemctl start unbound-anchor

Actual results:
/var/lib/unbound/root.key is not modified
systemctl status unbound-anchor shows failed
local DNS server is never tried

Expected results:
/var/lib/unbound/root.key is modified with update timestamp
local DNS server is checked for DNSSEC support first

Additional info:
I think it should prefer local DNS server and only try direct root query if it fails. It can delay new key fetch by local DNS server cache. It will reduce load of root servers. It will work on intranets without direct access to the Internet if local forwarders support DNSSEC.

--- Additional comment from Paul Wouters on 2017-05-30 14:46:57 EDT ---

Yes, this is important to get fixed before the KSK roll and the end of the year.

Comment 2 Paul Wouters 2017-05-31 14:52:31 UTC
Unbound-anchor is used in two places, for an actual recursor, that has access to the root, and thus it should do what it does now.  And for home users that want resolv.conf.

There is already an option:
-f resolv.conf  use given resolv.conf to resolve -u name

That may not do that for the DNSKEY probe itself, the -C unbound.conf option works for that, if you specify unbound.conf: empty with forward-zone for the root and a couple IP addresses, then it'll work and send traffic to those nameservers.

Comment 4 Petr Menšík 2018-07-04 09:57:54 UTC
Prepared proposed fix for this issue at upstream: https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4112

Comment 5 Petr Menšík 2018-07-04 09:58:34 UTC
Created also Fedora bug #1598078

Comment 7 Martin Osvald 🛹 2019-08-08 14:50:15 UTC
The main thing here is that the changes got to the upstream.

Closing this as WONTFIX, it's too late for RHEL7.8 and there is no chance to get acks after that.

This will never get fixed in RHEL7.

Note You need to log in before you can comment on or make changes to this bug.