Bug 750 - Create auto-trust-anchor-file for non-root zones automatically
Create auto-trust-anchor-file for non-root zones automatically
Product: unbound
Classification: Unclassified
Component: server
x86_64 Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2016-03-27 20:45 CEST by Simon Arlott
Modified: 2016-03-31 14:59 CEST (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Simon Arlott 2016-03-27 20:45:31 CEST
I'm using auto-trust-anchor-file and stub-zone for local zones that I always want to be available immediately even if there is currently no internet connectivity.

It's difficult to automate management of the trust anchor file of several zones because a manual query must be made to get the initial DNSKEY using the unbound resolver that may not yet be configured or zone that may not yet exist on the authoritative server.

It would be better if unbound could automatically create the trust anchor file for non-root zones by making a DNSKEY query (and check that it the response is secure) itself.
Comment 1 Wouter Wijngaards 2016-03-29 09:21:22 CEST
Hi Simon,

No, we will not do it.

The query for the trust zone is only made once there are user queries.

Otherwise, an unbound instance with no load would sit there and make a lot of queries to the internet.  The current design has such unbound instances quiet without creating a load.

Did you know that you can fill the auto-trust-anchor-file with contents yourself?  I.e. when you create it you can fill it with a couple of DS records or with a couple of DNSKEY records.  (in zone file format, one record per line).  Actually, you probably know this because there is no other way to start the auto-trust-anchor-file right?

Best regards, Wouter
Comment 2 Simon Arlott 2016-03-30 21:30:44 CEST
Yes I can fill the contents myself, but not with secure data because unbound may not be available if it's being configured.

I've had to compromise by not adding an auto-trust-anchor-file configuration entry if the file is absent or empty. It's still populated by querying the authoritative server directly which is not secure.
Comment 3 Wouter Wijngaards 2016-03-31 09:08:52 CEST
Hi Simon,

If unbound is not available, you can resolve a single lookup with the configuration using unbound-host (-C config file).  That will perform a full lookup and perform dnssec validation if you want it.

You want it filled in with dnssec-validated results?  Use unbound-host, if you do not want to pass a full config file, you can pass the root key file and it'll recurse and validate.  With -v it'll print the validation results.  You have to filter out bogus answers and accept the secure answers, unbound-host prints results always.

Best regards, Wouter
Comment 4 Simon Arlott 2016-03-31 14:07:37 CEST
Unlike dig, unbound-host does not provide output in a format compatible with the auto-trust-anchor-file. Converting to DNS zone format and checking that the response is secure would require post-processing of the output.
Comment 5 Wouter Wijngaards 2016-03-31 14:48:59 CEST
Hi Simon,

drill has a number of options that allow it to validate the output (sigchase)?

drill is part of libldns.

Best regards, Wouter
Comment 6 Wouter Wijngaards 2016-03-31 14:59:55 CEST
Hi Simon,

Unbound-host is not that hard to script, the output is the rdata section of the DNSKEY record:

$ unbound-host -f root.key -t DNSKEY -v nlnetlabs.nl | grep '(secure)$' | sed -e 's/ (secure)$//' -e 's/has DNSKEY record/DNSKEY/' > nlnetlabs.nl.key

Replace nlnetlabs.nl with your domain of choice.  Maybe this or drill works for you?

Best regards, Wouter