Bugzilla – Bug 4112
unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled
Last modified: 2018-07-04 12:29:04 CEST
Created attachment 508 [details]
Patch: Allow fallback from resolv.conf to direct
In Fedora, unbound-anchor is used to keep root.key valid, even only if unbound-libs are installed. It does not use -f /etc/resolv.conf, because it would always fail on resolvers not supporting DNSSEC.
I think this aproach is designed in a wrong way. I think direct root servers should not be used for DNSSEC key rollover by default. But it is difficult to work around that.
We have internal network with direct DNS queries forbidden. In such environment, our trust anchors are never updated automatically. Moreover, it always wait a long time before it timeouts. It slows down startup of unbound significantly in such case.
I have prepared patch that allows specifying -f /etc/resolv.conf, but would automatically fallback to direct root queries if resolvers are not useable. It allows preference of local resolver, but always tries to provide root anchor.
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1598078
Yes that is an excellent idea, thank you for the patch. Integrated it into the code repository.
Best regards, Wouter
I think with this change, it might make sense to enable -R -f /etc/resolv.conf by default in unbound-anchor. On unix machines only of course. It should work well in any case.