Bug 1208748 - unbound: remove unbound-anchor & ship DNS root data separately
Summary: unbound: remove unbound-anchor & ship DNS root data separately
Status: NEW
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Rubén Torrero Marijnissen
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-28 10:59 UTC by Wolfgang Frisch
Modified: 2023-02-28 11:00 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2023-02-28 10:59:00 UTC 
The unbound package currently includes unbound-anchor, a tool that updates the root trust anchor for DNSSEC validation. unbound-anchor is executed by the systemd .service before every start of the main unbound server.

While this is a viable solution, we can reduce the attack surface by removing unbound-anchor and shipping the DNS root data separately. This is described in RFC 7958 and was confirmed by one of its co-authors as the ideal distribution method, on the unbound mailing list [1]. Debian can serve as an example implementation [2]. See also a previous bug report [3].

[ ] Package DNS root data separately 
[ ] Remove unbound-anchor from systemd service files
[ ] Remove the dependency on unbound-anchor

[1] https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-May/007749.html
[2] https://packages.debian.org/sid/dns-root-data
[3] https://bugzilla.opensuse.org/show_bug.cgi?id=1173619
Comment 1 Wolfgang Frisch 2023-02-28 11:00:32 UTC 
Just to be clear: This is NOT a vulnerability, just a minor hardening effort. Priority adjusted accordingly.