Hi,
On Sun, 2018-10-28 at 19:43 +0100, Peter Müller wrote:
Hello *,
I am currently working on making Unbound mirror essential DNS root zones such as ".", "arpa.", "in-addr.arpa." and "ip6.arpa.". Since Unbound provides the "auth-zone" flag for some time now, I did not think of this as being too difficult.
However, things use to become difficult while having a closer look at them. :-\
Having IPFire installations with no direct access to the DNS root servers turned out to be the biggest issue here. (Besides, not all root servers can be used, as some of them do not allow zone transfers via AXFR.) I am currently thinking of this procedure:
(a) If DNS servers are set an known to work, they are used to fetch mentioned DNS root zones. In case of failures, Unbound falls back to current behaviour. As DNS resolvers usually do not allow zone transfers, I expect this to fail in most cases.
The fallback is essential. This cannot render DNS unusable.
(b) In case no DNSSEC-validating or -aware resolvers are available, Unbound falls back into recursor mode, assuming reachability of at least one of these servers. In this case, fetching the zones is easy.
In hindsight, this was a bad design decision. We assumed here that this will always work and that is not true. However, the amount of users is still relatively small.
(c) In case of permissive operation (no DNSSEC available), root zones are not fetched.
Why?
It turned out Unbound bumps into validation errors sometime, which needs some further investigation.
Can/should we always assume DNS root servers are reachable? Any opinions on this?
Not always, but for the vast majority of users, they should be available.
If not, what are the downsides? Also what are the upsides of this?
Thanks, and best regards, Peter Müller
P.S.: In case anybody wants to test, here is the corresponding Unbound configuration snippet (adjust paths if needed):
# mirror DNS root zones auth-zone: name: "." for-downstream: no for-upstream: yes fallback-enabled: yes master: b.root-servers.net master: c.root-servers.net master: e.root-servers.net master: f.root-servers.net master: g.root-servers.net master: k.root-servers.net zonefile: "auth-zones/root"
auth-zone: name: "arpa." for-downstream: no for-upstream: yes fallback-enabled: yes master: b.root-servers.net master: c.root-servers.net master: e.root-servers.net master: f.root-servers.net master: g.root-servers.net master: k.root-servers.net master: 80.67.169.40 master: 188.213.49.35 zonefile: "auth-zones/arpa"
auth-zone: name: "in-addr.arpa." for-downstream: no for-upstream: yes fallback-enabled: yes master: f.in-addr-servers.arpa. zonefile: "auth-zones/in-addr.arpa"
auth-zone: name: "ip6.arpa." for-downstream: no for-upstream: yes fallback-enabled: yes master: f.ip6-servers.arpa. zonefile: "auth-zones/ip6.arpa"
P.P.S.: See https://unbound.nlnetlabs.nl/pipermail/unbound-users/2018-May/005268.html for upstream mailinglist thread.
Just for the fun of it, I have added all zones to ns{1,2,3}.lightningwirelabs.com and allow AXFR for everyone.
-Michael