I am looking for some confirmation whether Unbound needs a reload after either root.hints or root.key are updated. Arch Wiki [1] seems to imply a reload is not required for root.hints.
What about root.key? Looking at unbound-anchor.service on my installation, which executes:
unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound /icannbundle.pem -f /etc/resolv.conf -R
seems to imply I can do without. Unless, of course, unbound-anchor issues a reload internally.
I searched through the archive of this list and spit through the documentation, but haven't found explicit confirmation.
I hope someone on this list can shed some light. Thanks a lot.
On root hint, reload is not required. Unbound will use root.hints file on startup but updates its root NS list periodically by root priming queries [RFC8109].
On DNSSEC trust anchor, all you need is
auto-trust-anchor-file: “/var/lib/unbound/root.key”
in unbound.conf and do not execute unbound-anchor periodically.
“auto-trust-anchor-file” keeps tracking root trust anchor updates [RFC5011] and save it automatically.
If you choose
trust-anchor-file: “/var/lib/unbound/root.key”
(old style, not recommended) for some reason, reload is required on root.key file update. unbound-anchor fetches trust-anchor but won’t issue reload.
On root hint, reload is not required. Unbound will use root.hints
file on startup but updates its root NS list periodically by root
priming queries [RFC8109].
Thank you for clarifying. That one is clear. And it helps not having to reload Unbound, since that would clear the cache. Although it can be dumped and reloaded.
On DNSSEC trust anchor, all you need is auto-trust-anchor-file:
"/var/lib/unbound/root.key" in unbound.conf and do not execute
unbound-anchor periodically. "auto-trust-anchor-file" keeps tracking
root trust anchor updates [RFC5011] and save it automatically.
Okay. That comes a bit as a surprise. On my system (Fedora 35) the default setup is to run unbound-anchors once before starting unbound.service and henceforth unbound-anchor will be run daily, triggered by a systemd timer, which is enabled by default.
Moreover, if I understand unbound-anchor correctly, it fetches the root key from IANA's website if RFC5011 fails (eg. root-key not yet present). So, that begs the question why Fedora chooses to run unbound-anchor daily.
In my case, I'm using root hints and root key from OpenNIC. I'm used to updating root hints periodically. I recently migrated to Unbound using dnssec validation. Before I used BIND without dnssec validation. So, I fetched the key from one of the OpenNIC root servers and put it in /var/lib/unbound/root.key. But how would Unbound know which server to query for RFC5011? Does it use the root hints for that? Or do I need to define that elsewhere?
I was prepared doing it by cronjob (or timer) periodically, assuming Unbound has no way of knowing where that key comes from.
So, I
fetched the key from one of the OpenNIC root servers and put it in
/var/lib/unbound/root.key. But how would Unbound know which server to
query for RFC5011? Does it use the root hints for that? Or do I need to define that elsewhere?
Unbound’s RFC5011 (auto-trust-anchor-file) fetches root trust anchor (DNSKEYs) from root servers which is specified in root hints (or root priming). So if you use OpenNIC root hints, Unbound should keep track OpenNIC root trust anchors.