+++ This bug was initially created as a clone of Bug #1456859 +++
Description of problem:
Periodic timer of unbound-anchor is running to maintain root trust anchor daily. However it requires direct connection to root servers, it would never try local forwarders. If that machine is running in environment with restricted direct connection to both DNS servers and HTTPS at data.iana.org, RFC 5011 would not work.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Block access to all DNS servers but your forwarders.
2. Block HTTPS connection to data.iana.org.
3. systemctl start unbound-anchor
/var/lib/unbound/root.key is not modified
systemctl status unbound-anchor shows failed
local DNS server is never tried
/var/lib/unbound/root.key is modified with update timestamp
local DNS server is checked for DNSSEC support first
I think it should prefer local DNS server and only try direct root query if it fails. It can delay new key fetch by local DNS server cache. It will reduce load of root servers. It will work on intranets without direct access to the Internet if local forwarders support DNSSEC.
--- Additional comment from Paul Wouters on 2017-05-30 14:46:57 EDT ---
Yes, this is important to get fixed before the KSK roll and the end of the year.
Unbound-anchor is used in two places, for an actual recursor, that has access to the root, and thus it should do what it does now. And for home users that want resolv.conf.
There is already an option:
-f resolv.conf use given resolv.conf to resolve -u name
That may not do that for the DNSKEY probe itself, the -C unbound.conf option works for that, if you specify unbound.conf: empty with forward-zone for the root and a couple IP addresses, then it'll work and send traffic to those nameservers.
Prepared proposed fix for this issue at upstream: https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4112
Created also Fedora bug #1598078
The main thing here is that the changes got to the upstream.
Closing this as WONTFIX, it's too late for RHEL7.8 and there is no chance to get acks after that.
This will never get fixed in RHEL7.