Hi! I co-maintain unbound in Fedora. unbound-anchor is used periodically to maintain DNSSEC trust anchor (RFC 5011). But I observed in our internal network, that it always require direct DNS access. In our network, that is blocked.
I know I can use unbound-anchor -f /etc/resolv.conf. That would fail in any case when local resolvers do not support DNSSEC. That disqualifies it as general fix. I needed something between that. I think always sending client queries directly to root servers is not very good practice. So I dug into unbound-anchor code and prepared a fix. I created bug #4112 [1] for it. It adds new -R parameter. If used with -f /etc/resolv.conf, it will try to validate DNSKEY first on resolvers from it. If it fails, it would use direct root query as fallback. This way, unbound-anchor -f /etc/resolv.conf -R would work for most configurations. Is it acceptable? Any opinions on it? Regards, Petr [1] https://nlnetlabs.nl/bugs-script/show_bug.cgi?id=4112 -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: [email protected] PGP: 65C6C973
