Bug 1598078 - Unbound-anchor RFC 5011 root keys update does not work without direct root server query
Summary: Unbound-anchor RFC 5011 root keys update does not work without direct root se...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: unbound
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-04 09:54 UTC by Petr Menšík
Modified: 2018-07-31 17:10 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-07-11 20:20:48 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 1457130 None None None Never

Internal Trackers: 1457130

Description Petr Menšík 2018-07-04 09:54:58 UTC
Description of problem:
Periodic timer of unbound-anchor is running to maintain root trust anchor daily. However it requires direct connection to root servers, it would never try local forwarders. If that machine is running in environment with restricted direct connection to both DNS servers and HTTPS at data.iana.org, RFC 5011 would not work.

Version-Release number of selected component (if applicable):
unbound-0:1.6.0-6.fc25.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Block access to all DNS servers but your forwarders.
2. Block HTTPS connection to data.iana.org.
3. systemctl start unbound-anchor

Actual results:
/var/lib/unbound/root.key is not modified
systemctl status unbound-anchor shows failed
local DNS server is never tried

Expected results:
/var/lib/unbound/root.key is modified with update timestamp
local DNS server is checked for DNSSEC support first


Additional info:
I think it should prefer local DNS server and only try direct root query if it fails. It can delay new key fetch by local DNS server cache. It will reduce load of root servers. It will work on intranets without direct access to the Internet if local forwarders support DNSSEC.

Comment 1 Petr Menšík 2018-07-04 10:37:31 UTC
Tracked on upstream as https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4112

Comment 2 Fedora Update System 2018-07-04 11:53:09 UTC
unbound-1.7.3-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2be76af59f

Comment 3 Fedora Update System 2018-07-04 12:41:42 UTC
unbound-1.7.3-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3326fc0232

Comment 4 Fedora Update System 2018-07-04 16:23:46 UTC
unbound-1.7.3-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3326fc0232

Comment 5 Fedora Update System 2018-07-04 18:22:42 UTC
unbound-1.7.3-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2be76af59f

Comment 6 Fedora Update System 2018-07-11 20:20:48 UTC
unbound-1.7.3-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2018-07-31 17:10:02 UTC
unbound-1.7.3-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.