1457130 – Unbound-anchor RFC 5011 root keys update does not work without direct root server query

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1457130 - Unbound-anchor RFC 5011 root keys update does not work without direct root server query

Summary: Unbound-anchor RFC 5011 root keys update does not work without direct root se...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	unbound
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Osvald 🛹
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:	1456859
Blocks:	1457133
TreeView+	depends on / blocked

Reported:	2017-05-31 07:58 UTC by Petr Menšík
Modified:	2019-08-08 14:50 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1456859
Clones:	1457133 (view as bug list)
Environment:
Last Closed:	2019-08-08 14:50:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1598078	0	unspecified	CLOSED	Unbound-anchor RFC 5011 root keys update does not work without direct root server query	2021-02-22 00:41:40 UTC

Internal Links: 1598078

Description Petr Menšík 2017-05-31 07:58:54 UTC

+++ This bug was initially created as a clone of Bug #1456859 +++

Description of problem:
Periodic timer of unbound-anchor is running to maintain root trust anchor daily. However it requires direct connection to root servers, it would never try local forwarders. If that machine is running in environment with restricted direct connection to both DNS servers and HTTPS at data.iana.org, RFC 5011 would not work.

Version-Release number of selected component (if applicable):
unbound-0:1.6.0-6.fc25.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Block access to all DNS servers but your forwarders.
2. Block HTTPS connection to data.iana.org.
3. systemctl start unbound-anchor

Actual results:
/var/lib/unbound/root.key is not modified
systemctl status unbound-anchor shows failed
local DNS server is never tried

Expected results:
/var/lib/unbound/root.key is modified with update timestamp
local DNS server is checked for DNSSEC support first


Additional info:
I think it should prefer local DNS server and only try direct root query if it fails. It can delay new key fetch by local DNS server cache. It will reduce load of root servers. It will work on intranets without direct access to the Internet if local forwarders support DNSSEC.

--- Additional comment from Paul Wouters on 2017-05-30 14:46:57 EDT ---

Yes, this is important to get fixed before the KSK roll and the end of the year.

Comment 2 Paul Wouters 2017-05-31 14:52:31 UTC

Unbound-anchor is used in two places, for an actual recursor, that has access to the root, and thus it should do what it does now.  And for home users that want resolv.conf.

There is already an option:
-f resolv.conf  use given resolv.conf to resolve -u name

That may not do that for the DNSKEY probe itself, the -C unbound.conf option works for that, if you specify unbound.conf: empty with forward-zone for the root and a couple IP addresses, then it'll work and send traffic to those nameservers.

Comment 4 Petr Menšík 2018-07-04 09:57:54 UTC

Prepared proposed fix for this issue at upstream: https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4112

Comment 5 Petr Menšík 2018-07-04 09:58:34 UTC

Created also Fedora bug #1598078

Comment 7 Martin Osvald 🛹 2019-08-08 14:50:15 UTC

The main thing here is that the changes got to the upstream.

Closing this as WONTFIX, it's too late for RHEL7.8 and there is no chance to get acks after that.

This will never get fixed in RHEL7.

Note You need to log in before you can comment on or make changes to this bug.