Reachability of DNS root servers for zone transfers

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 2916 bytes --]

Hello *,

I am currently working on making Unbound mirror essential DNS root
zones such as ".", "arpa.", "in-addr.arpa." and "ip6.arpa.". Since
Unbound provides the "auth-zone" flag for some time now, I did not
think of this as being too difficult.

However, things use to become difficult while having a closer look
at them. :-\

Having IPFire installations with no direct access to the DNS root
servers turned out to be the biggest issue here. (Besides, not
all root servers can be used, as some of them do not allow zone
transfers via AXFR.) I am currently thinking of this procedure:

(a) If DNS servers are set an known to work, they are used to
fetch mentioned DNS root zones. In case of failures, Unbound
falls back to current behaviour. As DNS resolvers usually do not
allow zone transfers, I expect this to fail in most cases.

(b) In case no DNSSEC-validating or -aware resolvers are available,
Unbound falls back into recursor mode, assuming reachability of
at least one of these servers. In this case, fetching the zones
is easy.

(c) In case of permissive operation (no DNSSEC available), root
zones are not fetched.

It turned out Unbound bumps into validation errors sometime, which
needs some further investigation.

Can/should we always assume DNS root servers are reachable?
Any opinions on this?

Thanks, and best regards,
Peter Müller

P.S.: In case anybody wants to test, here is the corresponding
Unbound configuration snippet (adjust paths if needed):

> # mirror DNS root zones
> auth-zone:
> 	name: "."
> 	for-downstream: no
> 	for-upstream: yes
> 	fallback-enabled: yes
> 	master: b.root-servers.net
> 	master: c.root-servers.net
> 	master: e.root-servers.net
> 	master: f.root-servers.net
> 	master: g.root-servers.net
> 	master: k.root-servers.net
> 	zonefile: "auth-zones/root"
> 
> auth-zone:
> 	name: "arpa."
> 	for-downstream: no
> 	for-upstream: yes
> 	fallback-enabled: yes
> 	master: b.root-servers.net
> 	master: c.root-servers.net
> 	master: e.root-servers.net
> 	master: f.root-servers.net
> 	master: g.root-servers.net
> 	master: k.root-servers.net
> 	master: 80.67.169.40
> 	master: 188.213.49.35
> 	zonefile: "auth-zones/arpa"
> 
> auth-zone:
> 	name: "in-addr.arpa."
> 	for-downstream: no
> 	for-upstream: yes
> 	fallback-enabled: yes
> 	master: f.in-addr-servers.arpa.
> 	zonefile: "auth-zones/in-addr.arpa"
> 
> auth-zone:
> 	name: "ip6.arpa."
> 	for-downstream: no
> 	for-upstream: yes
> 	fallback-enabled: yes
> 	master: f.ip6-servers.arpa.
> 	zonefile: "auth-zones/ip6.arpa"

P.P.S.: See https://unbound.nlnetlabs.nl/pipermail/unbound-users/2018-May/005268.html
for upstream mailinglist thread.
-- 
Microsoft DNS terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq