unbound-anchor: do not default to root direct queries

Petr Menšík pemensik at redhat.com
Wed Jul 4 10:12:57 UTC 2018


I co-maintain unbound in Fedora. unbound-anchor is used periodically to
maintain DNSSEC trust anchor (RFC 5011). But I observed in our internal
network, that it always require direct DNS access. In our network, that
is blocked.

I know I can use unbound-anchor -f /etc/resolv.conf. That would fail in
any case when local resolvers do not support DNSSEC. That disqualifies
it as general fix. I needed something between that. I think always
sending client queries directly to root servers is not very good practice.

So I dug into unbound-anchor code and prepared a fix. I created bug
#4112 [1] for it. It adds new -R parameter. If used with -f
/etc/resolv.conf, it will try to validate DNSKEY first on resolvers from
it. If it fails, it would use direct root query as fallback. This way,
unbound-anchor -f /etc/resolv.conf -R would work for most configurations.

Is it acceptable? Any opinions on it?


[1] https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4112

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

More information about the Unbound-users mailing list