Version 1.15.0 compatible with libunbound.so.2, is it good idea?

Petr Menšík pemensik at redhat.com
Tue May 10 10:02:43 UTC 2022 

On 5/9/22 18:03, Michael Tokarev wrote:
> 09.05.2022 18:04, Petr Menšík wrote:
> ..
>> The thing is unbound-libs package contains also unbound-anchor.service,
>> which uses unbound-anchor to keep /var/lib/unbound/root.key up-to-date
>> automagically even if the key changes. Shipping another library package
>> would be possible, but it would have to solve conflict of those services
>> and who should maintain that key validity. It gets unnecessary
>> complicated.
>
> How do you run unbound-anchor? From a cron job?
It is actually triggered by systemd unit unbound-anchor.timer. It allows
not precise time daily job. But yes, very similar to cron job.
>
> unbound itself manages root trust anchor automatically these days
> (before, unbound-anchor were needed to keep it up to date iirc).
I know it does. But this is part of unbound-libs, because it targets
unbound library users. I think all servers except dnsmasq can do RFC
5011 rollover without additional configuration.
>
> In debian we decided to provide a separate package, dns-root-data, which
> contains the root.key and root.hints, distributed using the usual way.
> I dunno myself how reliable that will be in practice.

We do not have separate trust anchor package for this. Main reason is
not all software consumes it in the same format. dnsmasq requires
different trust anchor format and bind needs that too. But we modified
most of software using unbound library for verification to use that
trust anchor. That way even openvswitch or libreswan should keep trust
anchor as accurate as possible. Even after eventual keyroll they should
be able to validate, even without the package update.

I think the only package which does not depend on unbound-libs but can
use its trust anchor is ldns-utils package. It will use unbound's trust
anchor too if it is installed, but does not have it as a dependency. I
thought about similar package as Debian has, but its reuse would be
limited anyway.

But I admit I don't know how trust anchor and hints are solved in
packages not inside RHEL, like pdns or knot. They might be able to reuse
some files if we made a shared package too.

>
>> I think suggested changes make it simple enough and backward compatible
>> while adding just self-contained changes.
>>
>> But all packages I checked on Fedora do not use ub_resolve_event
>> function with just one exception: libreswan. It seems no one else
>> adopted asynchronous callback.
>
> Yes, this is exactly why it is failing, - this is the only known
> software which actually uses this functionality... :)
>
> /mjt
>
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list