From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Reachability of DNS root servers for zone transfers Date: Mon, 29 Oct 2018 13:25:11 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6908861505580078742==" List-Id: --===============6908861505580078742== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi, On Sun, 2018-10-28 at 19:43 +0100, Peter Müller wrote: > Hello *, > > I am currently working on making Unbound mirror essential DNS root > zones such as ".", "arpa.", "in-addr.arpa." and "ip6.arpa.". Since > Unbound provides the "auth-zone" flag for some time now, I did not > think of this as being too difficult. > > However, things use to become difficult while having a closer look > at them. :-\ > > Having IPFire installations with no direct access to the DNS root > servers turned out to be the biggest issue here. (Besides, not > all root servers can be used, as some of them do not allow zone > transfers via AXFR.) I am currently thinking of this procedure: > > (a) If DNS servers are set an known to work, they are used to > fetch mentioned DNS root zones. In case of failures, Unbound > falls back to current behaviour. As DNS resolvers usually do not > allow zone transfers, I expect this to fail in most cases. The fallback is essential. This cannot render DNS unusable. > (b) In case no DNSSEC-validating or -aware resolvers are available, > Unbound falls back into recursor mode, assuming reachability of > at least one of these servers. In this case, fetching the zones > is easy. In hindsight, this was a bad design decision. We assumed here that this will always work and that is not true. However, the amount of users is still relatively small. > (c) In case of permissive operation (no DNSSEC available), root > zones are not fetched. Why? > It turned out Unbound bumps into validation errors sometime, which > needs some further investigation. > > Can/should we always assume DNS root servers are reachable? > Any opinions on this? Not always, but for the vast majority of users, they should be available. If not, what are the downsides? Also what are the upsides of this? > Thanks, and best regards, > Peter Müller > > P.S.: In case anybody wants to test, here is the corresponding > Unbound configuration snippet (adjust paths if needed): > > > # mirror DNS root zones > > auth-zone: > > name: "." > > for-downstream: no > > for-upstream: yes > > fallback-enabled: yes > > master: b.root-servers.net > > master: c.root-servers.net > > master: e.root-servers.net > > master: f.root-servers.net > > master: g.root-servers.net > > master: k.root-servers.net > > zonefile: "auth-zones/root" > > > > auth-zone: > > name: "arpa." > > for-downstream: no > > for-upstream: yes > > fallback-enabled: yes > > master: b.root-servers.net > > master: c.root-servers.net > > master: e.root-servers.net > > master: f.root-servers.net > > master: g.root-servers.net > > master: k.root-servers.net > > master: 80.67.169.40 > > master: 188.213.49.35 > > zonefile: "auth-zones/arpa" > > > > auth-zone: > > name: "in-addr.arpa." > > for-downstream: no > > for-upstream: yes > > fallback-enabled: yes > > master: f.in-addr-servers.arpa. > > zonefile: "auth-zones/in-addr.arpa" > > > > auth-zone: > > name: "ip6.arpa." > > for-downstream: no > > for-upstream: yes > > fallback-enabled: yes > > master: f.ip6-servers.arpa. > > zonefile: "auth-zones/ip6.arpa" > > P.P.S.: See > https://unbound.nlnetlabs.nl/pipermail/unbound-users/2018-May/005268.html > for upstream mailinglist thread. Just for the fun of it, I have added all zones to ns{1,2,3}.lightningwirelabs.com and allow AXFR for everyone. -Michael --===============6908861505580078742==--