Bug 4112 - unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled
unbound-anchor -f /etc/resolv.conf will not pass if DNSSEC is not enabled
Product: unbound
Classification: Unclassified
Component: server
x86_64 Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2018-07-04 11:56 CEST by Petr Menšík
Modified: 2018-07-04 12:29 CEST (History)
3 users (show)

See Also:

Patch: Allow fallback from resolv.conf to direct (6.39 KB, patch)
2018-07-04 11:56 CEST, Petr Menšík
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Menšík 2018-07-04 11:56:47 CEST
Created attachment 508 [details]
Patch: Allow fallback from resolv.conf to direct

In Fedora, unbound-anchor is used to keep root.key valid, even only if unbound-libs are installed. It does not use -f /etc/resolv.conf, because it would always fail on resolvers not supporting DNSSEC.

I think this aproach is designed in a wrong way. I think direct root servers should not be used for DNSSEC key rollover by default. But it is difficult to work around that.

We have internal network with direct DNS queries forbidden. In such environment, our trust anchors are never updated automatically. Moreover, it always wait a long time before it timeouts. It slows down startup of unbound significantly in such case.

I have prepared patch that allows specifying -f /etc/resolv.conf, but would automatically fallback to direct root queries if resolvers are not useable. It allows preference of local resolver, but always tries to provide root anchor.

Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1598078
Comment 1 Wouter Wijngaards 2018-07-04 12:02:51 CEST
Hi Petr,

Yes that is an excellent idea, thank you for the patch.  Integrated it into the code repository.

Best regards, Wouter
Comment 2 Petr Menšík 2018-07-04 12:29:04 CEST
I think with this change, it might make sense to enable -R -f /etc/resolv.conf by default in unbound-anchor. On unix machines only of course. It should work well in any case.