unbound-anchor: fails on exclusive DNS over TLS setups

[swhite2]

Describe the bug See https://github.com/opnsense/core/issues/5441 for a detailed description of the issue, as well as the steps to take to reproduce the issue.

Short description: Blocking outbound packets on UDP/53 on a remote machine, while running DNS over TLS with DNSSEC support enabled, causes unbound-anchor to block for a long time, since no packets are leaving the network. A workaround would be to explicitly block outbound UDP/53 locally, however, this might have consequences for the validity of the root trust anchor over time, since any update cannot take place.

While it is obvious that the main DNSKEY UDP queries are therefore blocked, the failover as described in https://github.com/NLnetLabs/unbound/blob/master/smallapp/unbound-anchor.c#L49-L51 will also fail, as any DNS resolving is blocked - therefore a HTTPS connection cannot be established. Deleting the root.key file will result in Unbound not starting at all during boot/restart.

Expected behavior I would expect unbound-anchor to also resolve it's nameservers via port 853 over TLS, though it is unclear to me whether such a thing can be achieved via the configuration settings.

System:

• Unbound version: 1.13.2
• OS: FreeBSD 12.1-RELEASE-p21-HBSD OpenSSL 1.1.1l 24 Aug 2021
• unbound -V output:

  Configure line: --with-ssl=/usr/local --with-libexpat=/usr/local --disable-dnscrypt --disable-dnstap --with-libnghttp2 --enable-ecdsa --disable-event-api --enable-gost --with-libevent --with-pyunbound=yes --with-pythonmodule=yes LDFLAGS=-L/usr/local/lib ac_cv_path_SWIG=/usr/local/bin/swig --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd12.1
  Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1l  24 Aug 2021
  Linked modules: dns64 python respip validator iterator

Additional information Please refer to the linked issue mentioned above.

[pemensik]

Unbound anchor uses separate configuration and does not read unbound's configuration file. But you don't need unbound-anchor if you run full unbound.

Use auto-trust-anchor-file: "/var/lib/unbound/root.key" in your configuration. That should do exactly what unbound-anchor does, but should be able to use TLS servers for it.

[pemensik]

I think you can use unbound-anchor -C /etc/unbound/unbound.conf parameter, which makes it possible to prepare root.key only via TLS.

Or better use shared configuration in /etc/unbound/conf.d/tls.conf, which would be used in unbound automatically. Then you can use this config for unbound-anchor or unbound-host.