Hi!
I co-maintain unbound in Fedora. unbound-anchor is used periodically to
maintain DNSSEC trust anchor (RFC 5011). But I observed in our internal
network, that it always require direct DNS access. In our network, that
is blocked.
I know I can use unbound-anchor -f /etc/resolv.conf. That would fail in
any case when local resolvers do not support DNSSEC. That disqualifies
it as general fix. I needed something between that. I think always
sending client queries directly to root servers is not very good practice.
So I dug into unbound-anchor code and prepared a fix. I created bug
#4112 [1] for it. It adds new -R parameter. If used with -f
/etc/resolv.conf, it will try to validate DNSKEY first on resolvers from
it. If it fails, it would use direct root query as fallback. This way,
unbound-anchor -f /etc/resolv.conf -R would work for most configurations.
Is it acceptable? Any opinions on it?
Regards,
Petr