Maintained by: NLnet Labs

unbound-anchor DNSKEY read-only import

Petr Menšík
Wed May 24 20:07:16 CEST 2017


Hello,

today I found a limitation of unbound-anchor related to package
management. I am not sure if it is by design. If root anchor is managed
and updated by periodic updates, everything is fine.

However when I tried to update new DNS trust anchor to unbound libraries
before it even appeared, I have found no secure way to do it. It does
only read existing DNSKEYS from file passed by -a parameter. After each
successful query that file is modified. That makes the file not replaced
by package management, because it contains changes.

I have been looking for way to add more keys into that file, but
unbound-anchor does not allow more trust anchor files. When I append new
keys into the file, It will work well next time, but no syntax is
checked when appending. It would be great if it can test syntax, test
whether it is already managed and add new key if not yet.

I think it would be useful if there was something like BIND
managed-keys. Source of new trusted anchor is only initialized from user
configured file. Then keys are managed in private bind directory, where
key rolling occurs. I were unable to find a way to do something similar
with unbound-anchor. Is there possible workaround with -C config file?

I am willing to create patch, but would like opinions from you. Do you
think it would be useful?

It would be also nice if there was possible fallback from
/etc/resolv.conf servers to direct root querying. If unbound operates in
environment that refuses direct access to internet servers, it will
never refresh DNSSEC key without manual configuration. I think it is not
expected. Something like forward first; option in bind configuration. It
would be handy, but I have workaround for this. Just try first with -f
/etc/resolv.conf, if it fails try without it. It would be nice to have
different return code for configuration failures and for DNS query
failures however.

Best Regards,
Petr Menšík