search

MatthewVance / unbound-docker-rpi

Run Unbound with latest version of OpenSSL on Raspberry Pi with Docker.
MIT License
136 stars 23 forks source link

Is it necessary to restart Unbound every six month to refresh root.key? #47

Open Gatsby-Lee opened 8 months ago

Gatsby-Lee commented 8 months ago

Hello,

First, I really appreciate to your work. I believes your works have helped lots of people.

The question I'd like to ask you is if it's required or necessary to restart Unbound to refresh the root.key. I read from somewhere that says the root.key should be updated. ( mostly by package manager )

If I understood the unbound.sh in this repo, the unbound.sh updates the root.key when the container is initialized first time.

/opt/unbound/sbin/unbound-anchor -a /opt/unbound/etc/unbound/var/root.key

So, I am wondering if I have to ( or need to ) setup an crontab schedule that stop ( and remove ) Unbound container by schedule.

Thank you Gatsby

MatthewVance commented 8 months ago

Gatsby, good question.

You're understanding is correct that the unbound.sh script that runs at container creation executes /opt/unbound/sbin/unbound-anchor -a /opt/unbound/etc/unbound/var/root.key and sets auto-trust-anchor-file: "var/root.key" in the default config. It uses that location due to the chroot setting (chroot: "/opt/unbound/etc/unbound").

I have not explicitly tested this to confirm that it updates itself if the container isn't re-initialized for a long-time. However, my understanding of the Unbound docs is that "Unbound uses RFC5011 updates to keep the anchor updated if it is changed while the computer is in operation, but the unbound-anchor tool is used if it is changed while the computer is not in operation."

This other doc may also be helpful: https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html

Does this help?

Gatsby-Lee commented 8 months ago

@MatthewVance Thank you for your response.

I was confused root.hints and root.key.

I am trying to use unbound DNS as a recursive DNS, not forwarding DNS. To do that, I should get the root.hints and I should refresh it every 6mo. To refresh, I pretty much have to restart the container and the unbound DNS will lose the cached DNS and get slower.

I am wondering if there is a way not to stop the running unbound and reload the updated config or root.hints. If you're not sure, no worries.

Thank you

Gatsby-Lee commented 8 months ago

@MatthewVance BTW, do you happen know why this repo's Dockerfile can't be used to build a image for amd64? Also, whenI tried to build ARM / ARM64 images with unbound-docker repo, it failed as well.

When I compared the two dockerfiles, I don't see much difference. ( maybe I can't see the difference due to the lack of knowledge )