Move automatic root zone fetching to drop-in

Automatic maintained root zone is great for network resolvers, which are
used by multiple machines. Its usage on every common device is not
desired however, especially when used as localhost only cache daemon.

Unfortunately it is too late to change this behavior so move it to
drop-in to make process of disabling it easier.

Resolves: RHEL-77788

unbound-local-root.conf

@@ -0,0 +1,30 @@
+# Authority zones
+# The data for these zones is kept locally, from a file or downloaded.
+# The data can be served to downstream clients, or used instead of the
+# upstream (which saves a lookup to the upstream).
+#
+# Download local root copy and answer TLD queries from it. Because
+# auth-zone has higher precedence, defined forward-zones to internal
+# only TLD will not work. Use stub-zone or disable this zone.
+# Good for a network-wide resolvers, worse for a localhost caching forwarder.
+auth-zone:
+	name: "."
+	primary: 170.247.170.2        # b.root-servers.net
+	primary: 192.33.4.12          # c.root-servers.net
+	primary: 199.7.91.13          # d.root-servers.net
+	primary: 192.5.5.241          # f.root-servers.net
+	primary: 192.112.36.4         # g.root-servers.net
+	primary: 193.0.14.129         # k.root-servers.net
+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+	primary: 2801:1b8:10::b       # b.root-servers.net
+	primary: 2001:500:2::c        # c.root-servers.net
+	primary: 2001:500:2d::d       # d.root-servers.net
+	primary: 2001:500:2f::f       # f.root-servers.net
+	primary: 2001:500:12::d0d     # g.root-servers.net
+	primary: 2001:7fd::1          # k.root-servers.net
+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes

unbound.conf

@@ -1071,27 +1071,27 @@ include: /etc/unbound/conf.d/*.conf
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
 # With allow-notify: you can give additional (apart from masters) sources of
 # notifies.
-auth-zone:
+#auth-zone:
-	name: "."
+#	name: "."
-	primary: 199.9.14.201         # b.root-servers.net
+#	primary: 199.9.14.201         # b.root-servers.net
-	primary: 192.33.4.12          # c.root-servers.net
+#	primary: 192.33.4.12          # c.root-servers.net
-	primary: 199.7.91.13          # d.root-servers.net
+#	primary: 199.7.91.13          # d.root-servers.net
-	primary: 192.5.5.241          # f.root-servers.net
+#	primary: 192.5.5.241          # f.root-servers.net
-	primary: 192.112.36.4         # g.root-servers.net
+#	primary: 192.112.36.4         # g.root-servers.net
-	primary: 193.0.14.129         # k.root-servers.net
+#	primary: 193.0.14.129         # k.root-servers.net
-	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
-	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-	primary: 2001:500:200::b      # b.root-servers.net
+#	primary: 2001:500:200::b      # b.root-servers.net
-	primary: 2001:500:2::c        # c.root-servers.net
+#	primary: 2001:500:2::c        # c.root-servers.net
-	primary: 2001:500:2d::d       # d.root-servers.net
+#	primary: 2001:500:2d::d       # d.root-servers.net
-	primary: 2001:500:2f::f       # f.root-servers.net
+#	primary: 2001:500:2f::f       # f.root-servers.net
-	primary: 2001:500:12::d0d     # g.root-servers.net
+#	primary: 2001:500:12::d0d     # g.root-servers.net
-	primary: 2001:7fd::1          # k.root-servers.net
+#	primary: 2001:7fd::1          # k.root-servers.net
-	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
-	fallback-enabled: yes
+#	fallback-enabled: yes
-	for-downstream: no
+#	for-downstream: no
-	for-upstream: yes
+#	for-upstream: yes
 
 # auth-zone:
 #	name: "example.org"

unbound.spec

@@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 8%{?extra_version:.%{extra_version}}%{?dist}
+Release: 9%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -53,6 +53,7 @@ Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source21: remote-control.conf
+Source22: unbound-local-root.conf
 
 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
 Patch1: unbound-1.16-CVE-2022-3204.patch
@@ -298,6 +299,9 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
 install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
 install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
 
+# local root zone fetch to separated configuration file
+install -p -m 0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/unbound/
+
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
 
@@ -319,6 +323,7 @@ install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
+ln -s ../unbound-local-root.conf %{buildroot}%{_sysconfdir}/unbound/conf.d/unbound-local-root.conf
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@@ -383,11 +388,14 @@ popd
 %attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound-local-root.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
-%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/example.com.conf
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/remote-control.conf
+%missingok %verify(not mtime) %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
@@ -453,6 +461,10 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-9
+- Move automatic root zone fetching to drop-in
+- Resolves: RHEL-77788
+
 * Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-8
 - Ensure group access correction reaches also updated configs (CVE-2024-1488)