Package: unbound Version: 1.6.0-3+deb9u2 Severity: normal Hi!
we have unbound configured as a recursor on most of our hosts, and we have a few trust-anchors in addition to the root zone's configured with auto-trust-anchor-file. One of the covered zone sees rarely, if ever, any queries. It appears unbound is not maintaining the auto-trust-anchor without seeing queries however. | weasel@scw-arm-ams-01:~$ cat /etc/unbound/unbound.conf | ## | ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. | ## | | server: | verbosity: 1 | | | | #chroot: "" | | hide-identity: yes | hide-version: yes | | # Do not query the following addresses. No DNS queries are sent there. | # List one address per entry. List classless netblocks with /size, | # do-not-query-address: 127.0.0.1/8 | # do-not-query-address: ::1 | | # if yes, the above default do-not-query-address entries are present. | # if no, localhost can be queried (for testing and debugging). | # do-not-query-localhost: yes | | # File with trusted keys, kept uptodate using RFC5011 probes, | # initial file like trust-anchor-file, then it stores metadata. | # Use several entries, one per domain name, to track multiple zones. | # auto-trust-anchor-file: "" | auto-trust-anchor-file: "/var/lib/unbound/root.key" | auto-trust-anchor-file: "/var/lib/unbound/torproject.org.key" | auto-trust-anchor-file: "/var/lib/unbound/30.172.in-addr.arpa.key" | | prefetch: yes | prefetch-key: yes | | local-zone: "30.172.in-addr.arpa" nodefault | forward-zone: | name: "30.172.in-addr.arpa" | forward-host: ns1.torproject.org | forward-host: ns2.torproject.org | forward-host: ns3.torproject.org | forward-host: ns4.torproject.org | forward-host: ns5.torproject.org Note how the trust anchor for the 172.30/16 reverse zone is almost 2 weeks old: } weasel@scw-arm-ams-01:~$ ls -lart /var/lib/unbound } total 20 } drwxr-xr-x 36 root root 4096 May 16 2018 ../ } -rw-r--r-- 1 unbound unbound 794 Nov 12 09:17 30.172.in-addr.arpa.key } -rw-r--r-- 1 unbound unbound 1252 Nov 22 11:18 root.key } -rw-r--r-- 1 unbound unbound 784 Nov 23 05:42 torproject.org.key } drwxrwxr-x 2 unbound unbound 4096 Nov 23 05:42 ./ I suspect that unbound might miss RFC5011 style updates since it doesn't query the zone regularly. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `- https://www.debian.org/