I was just scrolling through reddit and found this post:
In it someone mentioned this dns-root-data package that is a dependency of unbound. This package has the root hints file built in, and with no specific configuration, unbound will use this default root.hints file, which appears to be updated automatically by the system.
Why does the official pi-hole (and every other) user guide instruct to download the root hints manually, and specifically point to that file in the configuration files? Is there some concern about this officially included version? Is it just not well known?
Generally it just seems silly to me to add this extra step and manually download something that is already present, and already has a mechanism to keep itself updated.
I can't say to security. We currently instruct users to download directly from the author of the file. I haven't looked at or reviewed the packaged version.
In the current unreleased version the date matches the latest February 2020 time, but the actual one in the stable version of the package manager is dated for 2019. Regardless, it appears that all of the changes in the last 2 years have just been to update the timestamp in the file, and 2 years ago one ip address was changed.
I may not be following this argument. We start with "use what the package manager installs because it updates itself," but then the package manager doesn't update itself after all and you end up with an old root hints file.
Given that the package manager isn't updating it, wouldn't it be better to download and install a known fresh copy of the root.hints at the time of installing unbound?
Even though there were no changes between the two versions cited, that will not always be the case.
It is my understanding that these systems take some time for anything to move through the system. The current suggestion is to update your root hints every 6 months. The package manager is well within that window. Also, the "unstable" version of this file matches the February 2020 timestamp.
My opinion - it is better to use the Pi-hole install guide as written and load the freshest copy of the root hints when you install unbound. Then, as recommended by the guide, update the file about every six months. That's about 2 minutes of work to do so. And, even if you don't update the file, it's still newer than the package manage was using.
This is all new to me, so I'm learning on the fly. As I dig deeper, it appears that stretch is no longer updating this file, but buster is keeping the file up to date with 4 commits in 2019 and one in 2020. These commits do not seem to be evenly spaced, so the maintainer must not be doing it automatically, unless they just trigger on file changes from the source.