Re: Reachability of DNS root servers for zone transfers

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3374 bytes --]

Hi,

On Sun, 2018-10-28 at 19:43 +0100, Peter Müller wrote:
> Hello *,
> 
> I am currently working on making Unbound mirror essential DNS root
> zones such as ".", "arpa.", "in-addr.arpa." and "ip6.arpa.". Since
> Unbound provides the "auth-zone" flag for some time now, I did not
> think of this as being too difficult.
> 
> However, things use to become difficult while having a closer look
> at them. :-\
> 
> Having IPFire installations with no direct access to the DNS root
> servers turned out to be the biggest issue here. (Besides, not
> all root servers can be used, as some of them do not allow zone
> transfers via AXFR.) I am currently thinking of this procedure:
> 
> (a) If DNS servers are set an known to work, they are used to
> fetch mentioned DNS root zones. In case of failures, Unbound
> falls back to current behaviour. As DNS resolvers usually do not
> allow zone transfers, I expect this to fail in most cases.

The fallback is essential. This cannot render DNS unusable.

> (b) In case no DNSSEC-validating or -aware resolvers are available,
> Unbound falls back into recursor mode, assuming reachability of
> at least one of these servers. In this case, fetching the zones
> is easy.

In hindsight, this was a bad design decision. We assumed here that this will
always work and that is not true. However, the amount of users is still
relatively small.

> (c) In case of permissive operation (no DNSSEC available), root
> zones are not fetched.

Why?

> It turned out Unbound bumps into validation errors sometime, which
> needs some further investigation.
> 
> Can/should we always assume DNS root servers are reachable?
> Any opinions on this?

Not always, but for the vast majority of users, they should be available.

If not, what are the downsides? Also what are the upsides of this?

> Thanks, and best regards,
> Peter Müller
> 
> P.S.: In case anybody wants to test, here is the corresponding
> Unbound configuration snippet (adjust paths if needed):
> 
> > # mirror DNS root zones
> > auth-zone:
> > 	name: "."
> > 	for-downstream: no
> > 	for-upstream: yes
> > 	fallback-enabled: yes
> > 	master: b.root-servers.net
> > 	master: c.root-servers.net
> > 	master: e.root-servers.net
> > 	master: f.root-servers.net
> > 	master: g.root-servers.net
> > 	master: k.root-servers.net
> > 	zonefile: "auth-zones/root"
> > 
> > auth-zone:
> > 	name: "arpa."
> > 	for-downstream: no
> > 	for-upstream: yes
> > 	fallback-enabled: yes
> > 	master: b.root-servers.net
> > 	master: c.root-servers.net
> > 	master: e.root-servers.net
> > 	master: f.root-servers.net
> > 	master: g.root-servers.net
> > 	master: k.root-servers.net
> > 	master: 80.67.169.40
> > 	master: 188.213.49.35
> > 	zonefile: "auth-zones/arpa"
> > 
> > auth-zone:
> > 	name: "in-addr.arpa."
> > 	for-downstream: no
> > 	for-upstream: yes
> > 	fallback-enabled: yes
> > 	master: f.in-addr-servers.arpa.
> > 	zonefile: "auth-zones/in-addr.arpa"
> > 
> > auth-zone:
> > 	name: "ip6.arpa."
> > 	for-downstream: no
> > 	for-upstream: yes
> > 	fallback-enabled: yes
> > 	master: f.ip6-servers.arpa.
> > 	zonefile: "auth-zones/ip6.arpa"
> 
> P.P.S.: See 
> https://unbound.nlnetlabs.nl/pipermail/unbound-users/2018-May/005268.html
> for upstream mailinglist thread.

Just for the fun of it, I have added all zones to
ns{1,2,3}.lightningwirelabs.com and allow AXFR for everyone.

-Michael