Bug#914405: appears to not update auto-trust-anchors without requests

Peter Palfrader Thu, 22 Nov 2018 23:21:33 -0800

Package: unbound
Version: 1.6.0-3+deb9u2
Severity: normal

Hi!


we have unbound configured as a recursor on most of our hosts,
and we have a few trust-anchors in addition to the root zone's
configured with auto-trust-anchor-file.

One of the covered zone sees rarely, if ever, any queries.

It appears unbound is not maintaining the auto-trust-anchor without
seeing queries however.

| weasel@scw-arm-ams-01:~$ cat /etc/unbound/unbound.conf
| ##
| ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
| ##
|
| server:
|         verbosity: 1
|
|
|
|         #chroot: ""
|
|         hide-identity: yes
|         hide-version: yes
|
|         # Do not query the following addresses. No DNS queries are sent there.
|         # List one address per entry. List classless netblocks with /size,
|         # do-not-query-address: 127.0.0.1/8
|         # do-not-query-address: ::1
|
|         # if yes, the above default do-not-query-address entries are present.
|         # if no, localhost can be queried (for testing and debugging).
|         # do-not-query-localhost: yes
|
|         # File with trusted keys, kept uptodate using RFC5011 probes,
|         # initial file like trust-anchor-file, then it stores metadata.
|         # Use several entries, one per domain name, to track multiple zones.
|         # auto-trust-anchor-file: ""
|         auto-trust-anchor-file: "/var/lib/unbound/root.key"
|         auto-trust-anchor-file: "/var/lib/unbound/torproject.org.key"
|         auto-trust-anchor-file: "/var/lib/unbound/30.172.in-addr.arpa.key"
|
|         prefetch: yes
|         prefetch-key: yes
|
| local-zone: "30.172.in-addr.arpa" nodefault
| forward-zone:
|         name: "30.172.in-addr.arpa"
|         forward-host: ns1.torproject.org
|         forward-host: ns2.torproject.org
|         forward-host: ns3.torproject.org
|         forward-host: ns4.torproject.org
|         forward-host: ns5.torproject.org

Note how the trust anchor for the 172.30/16 reverse zone is almost 2
weeks old:

} weasel@scw-arm-ams-01:~$ ls -lart /var/lib/unbound
} total 20
} drwxr-xr-x 36 root    root    4096 May 16  2018 ../
} -rw-r--r--  1 unbound unbound  794 Nov 12 09:17 30.172.in-addr.arpa.key
} -rw-r--r--  1 unbound unbound 1252 Nov 22 11:18 root.key
} -rw-r--r--  1 unbound unbound  784 Nov 23 05:42 torproject.org.key
} drwxrwxr-x  2 unbound unbound 4096 Nov 23 05:42 ./

I suspect that unbound might miss RFC5011 style updates since it
doesn't query the zone regularly.

-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

Bug#914405: appears to not update auto-trust-anchors without requests

Reply via email to