Description of problem: Periodic timer of unbound-anchor is running to maintain root trust anchor daily. However it requires direct connection to root servers, it would never try local forwarders. If that machine is running in environment with restricted direct connection to both DNS servers and HTTPS at data.iana.org, RFC 5011 would not work. Version-Release number of selected component (if applicable): unbound-0:1.6.0-6.fc25.x86_64 How reproducible: Always Steps to Reproduce: 1. Block access to all DNS servers but your forwarders. 2. Block HTTPS connection to data.iana.org. 3. systemctl start unbound-anchor Actual results: /var/lib/unbound/root.key is not modified systemctl status unbound-anchor shows failed local DNS server is never tried Expected results: /var/lib/unbound/root.key is modified with update timestamp local DNS server is checked for DNSSEC support first Additional info: I think it should prefer local DNS server and only try direct root query if it fails. It can delay new key fetch by local DNS server cache. It will reduce load of root servers. It will work on intranets without direct access to the Internet if local forwarders support DNSSEC.
Tracked on upstream as https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4112
unbound-1.7.3-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2be76af59f
unbound-1.7.3-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3326fc0232
unbound-1.7.3-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3326fc0232
unbound-1.7.3-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2be76af59f
unbound-1.7.3-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
unbound-1.7.3-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.