Reload required when updating root.hints or root.key?

Sandro lists at
Thu Jun 23 11:00:50 UTC 2022

Hi Daisuke,

On 23-06-2022 12:16, Daisuke HIGASHI wrote:

> On root hint, reload is not required. Unbound will use root.hints
> file on startup but updates its root NS list periodically by root
> priming queries [RFC8109].

Thank you for clarifying. That one is clear. And it helps not having to 
reload Unbound, since that would clear the cache. Although it can be 
dumped and reloaded.

> On DNSSEC trust anchor, all you need is auto-trust-anchor-file:
> "/var/lib/unbound/root.key" in unbound.conf and do not execute
> unbound-anchor periodically. "auto-trust-anchor-file" keeps tracking
> root trust anchor updates [RFC5011] and save it automatically.

Okay. That comes a bit as a surprise. On my system (Fedora 35) the 
default setup is to run unbound-anchors once before starting 
unbound.service and henceforth unbound-anchor will be run daily, 
triggered by a systemd timer, which is enabled by default.

Moreover, if I understand unbound-anchor correctly, it fetches the root 
key from IANA's website if RFC5011 fails (eg. root-key not yet present). 
So, that begs the question why Fedora chooses to run unbound-anchor daily.

In my case, I'm using root hints and root key from OpenNIC. I'm used to 
updating root hints periodically. I recently migrated to Unbound using 
dnssec validation. Before I used BIND without dnssec validation. So, I 
fetched the key from one of the OpenNIC root servers and put it in 
/var/lib/unbound/root.key. But how would Unbound know which server to 
query for RFC5011? Does it use the root hints for that? Or do I need to 
define that elsewhere?
I was prepared doing it by cronjob (or timer) periodically, assuming 
Unbound has no way of knowing where that key comes from.

-- Sandro

More information about the Unbound-users mailing list