RPZ: is this config correct?

George Thessalonikefs george at nlnetlabs.nl
Wed Apr 28 12:13:33 UTC 2021 

Hi Andreas,

I can't reproduce what you are experiencing. That configuration with URL 
zone transferring is working fine on my machine (linux). And it works 
with or without TLS in place.
Although, I didn't use docker so I can't comment if something doesn't 
work there specifically.

What was described previously on the list is an issue with fetching the 
zone file via URL on windows specifically. I tracked this down to HTTPS 
specifically but didn't have time to look further on that yet.

Some points that may help you further:

1.
You can skip the 'zonefile:' directive. That way you force unbound to 
not look at a possible file when starting and instead fetch the zone 
from the url.
If a zonefile is already present at the configured location unbound will 
use it without going out to the network.
Zone updates then happen based on the SOA.Refresh timer of the zone.

2.
You could use 'unbound-control auth_zone_transfer <auth_zone>' and see 
what happens. Unbound should try to refetch the zone data from the URL 
and hopefully print out some errors in your case.

Best regards,
-- George


On 22/04/2021 16:40, A. Schulze via Unbound-users wrote:
> 
> 
> 
> Hello,
> 
> I like to attach myself to this longer thread...
> 
> Am 10.11.20 um 17:53 schrieb RayG via Unbound-users:
> 
>> I have no issue getting the data using the URL in a browser but unbound flatly refuses to successfully retrieve it.
>>
>>       name: "URLHaus"
>>       zonefile: "C:\ProgramData\Unbound\Logs\urlhaus.zone"
>>       url: https://urlhaus.abuse.ch/downloads/rpz
>>       rpz-log: yes
>>       rpz-log-name: "URLHausRPZ"
>>       rpz-action-override: nxdomain
>>
>> I have tried with an empty file, a populated file and no file but nothing works. No file is ever created.
> 
> 
> My idea was to use RPZ and also start with urlhaus available as https://urlhaus.abuse.ch/downloads/rpz
> Running 1.13.1 this failed partially. So here are my findings.
> To be as reproducable as possible, I describe a docker setup and show some unnessesary exlicit options:
> 
> $ install -d /tmp/rpz/ && cd /tmp/rpz/
> 
> $ cat <<EOF > /tmp/rpz/unbound.conf
> server:
>   chroot: ""
>   do-daemonize: no
>   do-ip6: no
>   logfile: ""
>   log-replies: yes
>   module-config: "respip validator iterator"
>   tls-cert-bundle: /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
> rpz:
>   name: rpz.urlhaus.abuse.ch.
>   zonefile: /tmp/spool/rpz.urlhaus.abuse.ch
>   url: https://urlhaus.abuse.ch/downloads/rpz/
>   rpz-log: yes
> EOF
> 
> $ docker run --name unbound --rm -ti -v /tmp/rpz:/tmp/rpz:rw debian:testing-slim
> root at f94664d2bfc7:/# apt-get update
> ...
> root at f94664d2bfc7:/# apt-get -qq --no-install-recommends install ca-certificates knot-dnsutils unbound wget
> ...
> root at f94664d2bfc7:/# install -d --owner unbound /tmp/spool/
> 
> root at f94664d2bfc7:/# unbound -c /tmp/rpz/unbound.conf
> [1619098696] unbound[2749:0] notice: init module 0: respip
> [1619098696] unbound[2749:0] notice: init module 1: validator
> [1619098696] unbound[2749:0] notice: init module 2: iterator
> [1619098696] unbound[2749:0] info: start of service (unbound 1.13.1).
> 
> According to unbound documentation I expext unbound to start downloading
> https://urlhaus.abuse.ch/downloads/rpz/ to /tmp/spool/rpz.urlhaus.abuse.ch
> The directory /tmp/spool/ *is* writable for the unbound user.
> 
> That download does not happen.
> 
> Consequently dns queries are answered like no rpz is present at all.
> Let's login from an other shell into the unbound container and ask for the test entry:
> 
> $ docker exec -ti unbound bash
> root at f94664d2bfc7:/# kdig @127.0.0.1 testentry.rpz.urlhaus.abuse.ch.
> ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 16488
> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;; testentry.rpz.urlhaus.abuse.ch.              IN      A
> 
> ;; AUTHORITY SECTION:
> abuse.ch.               1800    IN      SOA     ns1.p04.dynect.net. dnsadmin.abuse.ch. 2021042100 3600 600 604800 1800
> 
> ;; Received 111 B
> ;; Time 2021-04-22 14:00:35 UTC
> ;; From 127.0.0.1 at 53(UDP) in 21.7 ms
> 
> the other terminal shows the log:
> ...
> [1619098696] unbound[2749:0] info: start of service (unbound 1.13.1).
> [1619100035] unbound[2874:0] info: 127.0.0.1 testentry.rpz.urlhaus.abuse.ch. A IN NXDOMAIN 0.021310 0 111
> 
> This is unexpected because there is an AUTHORITY SECTION
> 
> Now let's download https://urlhaus.abuse.ch/downloads/rpz/ manually.
> We use 'wget' and explicit set ca-directory to an empty /opt/ and ca-certificate the the one matching CA so only this one download is 'permitted'
> This is only to demonstrate there are *no* TLS certificate validatation issues.
> Also, we run 'wget' as user unbound. This makes the resulting file owned an thus writable by unbound.
> 
> press CTRL+C in the unbound terminal
> 
> ^C[1619099541] unbound[2856:0] info: service stopped (unbound 1.13.1).
> [1619099541] unbound[2856:0] info: server stats for thread 0: 1 queries, 0 answers from cache, 1 recursions, 0 prefetch, 0 rejected by ip ratelimiting
> [1619099541] unbound[2856:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
> [1619099541] unbound[2856:0] info: average recursion processing time 0.031167 sec
> [1619099541] unbound[2856:0] info: histogram of recursion processing times
> [1619099541] unbound[2856:0] info: [25%]=0 median[50%]=0 [75%]=0
> [1619099541] unbound[2856:0] info: lower(secs) upper(secs) recursions
> [1619099541] unbound[2856:0] info:    0.016384    0.032768 1
> 
> root at f94664d2bfc7:/#  su --shell /bin/sh --command 'wget --no-verbose -O /tmp/spool/rpz.urlhaus.abuse.ch --ca-directory=/opt --ca-certificate=/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt https://urlhaus.abuse.ch/downloads/rpz/' unbound
> 2021-04-22 14:29:19 URL:https://urlhaus.abuse.ch/downloads/rpz/ [163814/163814] -> "/tmp/spool/rpz.urlhaus.abuse.ch" [1]
> 
> root at f94664d2bfc7:/# stat /tmp/spool/rpz.urlhaus.abuse.ch
>    File: /tmp/spool/rpz.urlhaus.abuse.ch
>    Size: 163814          Blocks: 320        IO Block: 4096   regular file
> Device: 34h/52d Inode: 123433959   Links: 1
> Access: (0644/-rw-r--r--)  Uid: (  101/ unbound)   Gid: (  101/ unbound)
> Access: 2021-04-22 14:29:19.000000000 +0000
> Modify: 2021-04-22 14:25:03.000000000 +0000
> Change: 2021-04-22 14:29:19.891804798 +0000
>   Birth: 2021-04-22 14:29:19.619804800 +0000
> 
> again, start unbound:
> 
> root at f94664d2bfc7:/# unbound -c /tmp/rpz/unbound.conf
> [1619099932] unbound[2866:0] notice: init module 0: respip
> [1619099932] unbound[2866:0] notice: init module 1: validator
> [1619099932] unbound[2866:0] notice: init module 2: iterator
> [1619099932] unbound[2866:0] info: start of service (unbound 1.13.1).
> 
> in the other terminal now ask the *same* question:
> 
> root at f94664d2bfc7:/# kdig @127.0.0.1 testentry.rpz.urlhaus.abuse.ch. ns
> ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 29041
> ;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;; testentry.rpz.urlhaus.abuse.ch.              IN      NS
> 
> ;; Received 48 B
> ;; Time 2021-04-22 14:04:32 UTC
> ;; From 127.0.0.1 at 53(UDP) in 0.2 ms
> 
> and unbound logs this:
> [1619100269] unbound[2880:0] info: start of service (unbound 1.13.1).
> [1619100272] unbound[2880:0] info: RPZ applied testentry.rpz.urlhaus.abuse.ch. nxdomain 127.0.0.1 at 39411 testentry.rpz.urlhaus.abuse.ch. NS IN
> [1619100272] unbound[2880:0] info: 127.0.0.1 testentry.rpz.urlhaus.abuse.ch. NS IN NXDOMAIN 0.000000 1 48
> 
> 
> so we see, the same question is now handled by the rpz and is answered (in this case also) with NXDOMAIN
> But this happen only if I manually provide the rpz data file.
> 
> I also setup a second nginx container that can serve http://local-nginx/rpz.urlhaus.abuse.ch to unbound
> This eliminates https and allow running tcpdump on the local docker network: There is no communication from unbound to the local-nginx
> 
> But the documentation (https://github.com/NLnetLabs/unbound/blob/release-1.13.1/doc/unbound.conf.5.in#L2404)
> promise somehow "If the file does not exist or is empty, unbound will attempt to fetch zone data (eg. from the primary servers)"
> 
> Conclusion: rpz with URL works but bootstrapping is unsure.
> I've also not yet monitored, if and when updates happen.
> 
> Andreas
>

More information about the Unbound-users mailing list