auto-trust-anchor don't work

Describe the bug A clear and concise description of what the bug is.

Hi, I'm trying to configure Unbound with auto-trust-anchor. I've given the user unbound the rights, but I get errors after running the command # unbound-anchor -va /etc/trusted-key.key:

~ % # unbound-checkconf

/etc/trusted-key.key:1: error: unknown keyword ';'
/etc/trusted-key.key:1: error: unknown keyword 'autotrust'
/etc/trusted-key.key:1: error: unknown keyword 'trust'
/etc/trusted-key.key:1: error: unknown keyword 'anchor'
/etc/trusted-key.key:1: error: unknown keyword 'file'
/etc/trusted-key.key:2: error: unknown keyword ';;id'
/etc/trusted-key.key:2: error: stray ':'
/etc/trusted-key.key:2: error: unknown keyword '.'
/etc/trusted-key.key:2: error: unknown keyword '1'
/etc/trusted-key.key:3: error: unknown keyword ';;last_queried'
/etc/trusted-key.key:3: error: stray ':'
/etc/trusted-key.key:3: error: unknown keyword '1639272900'
/etc/trusted-key.key:3: error: unknown keyword ';;Sun'
/etc/trusted-key.key:3: error: unknown keyword 'Dec'
/etc/trusted-key.key:3: error: unknown keyword '12'
/etc/trusted-key.key:3: error: unknown keyword '02'
/etc/trusted-key.key:3: error: stray ':'
/etc/trusted-key.key:3: error: unknown keyword '35'
/etc/trusted-key.key:3: error: stray ':'
/etc/trusted-key.key:3: error: unknown keyword '00'
/etc/trusted-key.key:3: error: unknown keyword '2021'
/etc/trusted-key.key:4: error: unknown keyword ';;last_success'
/etc/trusted-key.key:4: error: stray ':'
/etc/trusted-key.key:4: error: unknown keyword '1639272900'
/etc/trusted-key.key:4: error: unknown keyword ';;Sun'
/etc/trusted-key.key:4: error: unknown keyword 'Dec'
/etc/trusted-key.key:4: error: unknown keyword '12'
/etc/trusted-key.key:4: error: unknown keyword '02'
/etc/trusted-key.key:4: error: stray ':'
/etc/trusted-key.key:4: error: unknown keyword '35'
/etc/trusted-key.key:4: error: stray ':'
/etc/trusted-key.key:4: error: unknown keyword '00'
/etc/trusted-key.key:4: error: unknown keyword '2021'
/etc/trusted-key.key:5: error: unknown keyword ';;next_probe_time'
/etc/trusted-key.key:5: error: stray ':'
/etc/trusted-key.key:5: error: unknown keyword '1639312824'
/etc/trusted-key.key:5: error: unknown keyword ';;Sun'
/etc/trusted-key.key:5: error: unknown keyword 'Dec'
/etc/trusted-key.key:5: error: unknown keyword '12'
/etc/trusted-key.key:5: error: unknown keyword '13'
/etc/trusted-key.key:5: error: stray ':'
/etc/trusted-key.key:5: error: unknown keyword '40'
/etc/trusted-key.key:5: error: stray ':'
/etc/trusted-key.key:5: error: unknown keyword '24'
/etc/trusted-key.key:5: error: unknown keyword '2021'
/etc/trusted-key.key:6: error: unknown keyword ';;query_failed'
/etc/trusted-key.key:6: error: stray ':'
/etc/trusted-key.key:6: error: unknown keyword '0'
/etc/trusted-key.key:7: error: unknown keyword ';;query_interval'
/etc/trusted-key.key:7: error: stray ':'
/etc/trusted-key.key:7: error: unknown keyword '43199'
/etc/trusted-key.key:8: error: unknown keyword ';;retry_time'
/etc/trusted-key.key:8: error: stray ':'
/etc/trusted-key.key:8: error: unknown keyword '8639'
/etc/trusted-key.key:9: error: unknown keyword '.'
/etc/trusted-key.key:9: error: unknown keyword '86398'
/etc/trusted-key.key:9: error: unknown keyword 'IN'
/etc/trusted-key.key:9: error: unknown keyword 'DNSKEY'
/etc/trusted-key.key:9: error: unknown keyword '257'
/etc/trusted-key.key:9: error: unknown keyword '3'
/etc/trusted-key.key:9: error: unknown keyword '8'
/etc/trusted-key.key:9: error: unknown keyword 'AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU='
/etc/trusted-key.key:9: error: unknown keyword ';{id'
/etc/trusted-key.key:9: error: unknown keyword '='
/etc/trusted-key.key:9: error: unknown keyword '20326'
/etc/trusted-key.key:9: error: unknown keyword '(ksk),'
/etc/trusted-key.key:9: error: unknown keyword 'size'
/etc/trusted-key.key:9: error: unknown keyword '='
/etc/trusted-key.key:9: error: unknown keyword '2048b}'
/etc/trusted-key.key:9: error: unknown keyword ';;state=2'
/etc/trusted-key.key:9: error: unknown keyword '['
/etc/trusted-key.key:9: error: unknown keyword 'VALID'
/etc/trusted-key.key:9: error: unknown keyword ']'
/etc/trusted-key.key:9: error: unknown keyword ';;count=0'
/etc/trusted-key.key:9: error: unknown keyword ';;lastchange=1639272900'
/etc/trusted-key.key:9: error: unknown keyword ';;Sun'
/etc/trusted-key.key:9: error: unknown keyword 'Dec'
/etc/trusted-key.key:9: error: unknown keyword '12'
/etc/trusted-key.key:9: error: unknown keyword '02'
/etc/trusted-key.key:9: error: stray ':'
/etc/trusted-key.key:9: error: unknown keyword '35'
/etc/trusted-key.key:9: error: stray ':'
/etc/trusted-key.key:9: error: unknown keyword '00'
/etc/trusted-key.key:9: error: unknown keyword '2021'
read /etc/unbound/unbound.conf failed: 84 errors in configuration file

Here is my unbound.conf (without comments):

~ %  grep -Ev '^[[:blank:]]*#|^$' /etc/unbound/unbound.conf

server:
     include: /etc/trusted-key.key
     include: /etc/unbound/blacklist
    verbosity: 0
     statistics-interval: 0
     num-threads: 8
     interface: 127.0.0.1
     interface: ::1
     port: 53
     outgoing-range: 78
     so-rcvbuf: 0
     so-sndbuf: 0
     so-reuseport: yes
     edns-buffer-size: 1232
     stream-wait-size: 7m
     msg-cache-size: 32m
     msg-cache-slabs: 8
     num-queries-per-thread: 1024
     rrset-cache-size: 64m
     rrset-cache-slabs: 8
     cache-min-ttl: 86400
     cache-max-ttl: 172800
     infra-cache-slabs: 8
     infra-cache-numhosts: 30000
     do-ip4: yes
     do-ip6: no
     do-udp: yes
     do-tcp: yes
     use-systemd: no
     access-control: 0.0.0.0/0 refuse
     access-control: 127.0.0.0/8 allow
     access-control: ::0/0 refuse
     access-control: ::1/128 allow
     username: "unbound"
     directory: "/etc/unbound"
     use-syslog: no
     log-time-ascii: no
     log-queries: no
     log-replies: no
     log-tag-queryreply: no
     log-local-actions: no
     log-servfail: no
     root-hints: "root.hints"
     hide-identity: yes
     hide-version: yes
     hide-http-user-agent: yes
     harden-glue: yes
     harden-dnssec-stripped: yes
     harden-below-nxdomain: yes
     harden-algo-downgrade: no
     qname-minimisation: yes
     aggressive-nsec: yes
     use-caps-for-id: yes
     private-address: 10.0.0.0/8
     private-address: 192.168.0.0/16
     private-address: fd00::/8
     private-address: fe80::/10
     private-address: ::ffff:0:0/96
     unwanted-reply-threshold: 10000000
     do-not-query-localhost: no
     prefetch: yes
     prefetch-key: yes
     minimal-responses: yes
     disable-dnssec-lame-check: no
     module-config: "validator iterator"
     auto-trust-anchor-file: "/etc/trusted-key.key"
     root-key-sentinel: yes
    trust-anchor-file: "/etc/unbound/trusted-key.key"
     val-clean-additional: yes
     key-cache-size: 128m
     key-cache-slabs: 8
     tls-service-key: "/etc/unbound/unbound_server.key"
     tls-service-pem: "/etc/unbound/unbound_server.pem"
     tls-port: 853
     tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
     tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     pad-responses: yes
     tls-use-sni: yes
     tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
python:
dynlib:
remote-control:
     control-enable: yes
     control-interface: 127.0.0.1
 forward-zone:
    name: "quad9.com"
    forward-addr: 9.9.9.9@853
    forward-addr: 149.112.112.112@853
    forward-first: yes
    forward-tls-upstream: yes

To reproduce Steps to reproduce the behavior:

uncomment 'auto-trust-anchor-file:"/etc/trusted-key.key"'
restart unbound.service

Expected behavior A clear and concise description of what you expected to happen.

System:

Unbound version: 1.14.0-1
OS: Arch
unbound -V output:

Version 1.14.0

Configure line: --prefix=/usr --sysconfdir=/etc --localstatedir=/var --sbindir=/usr/bin --disable-rpath --enable-dnscrypt --enable-dnstap --enable-pie --enable-relro-now --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --enable-cachedb --with-libhiredis --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc/trusted-key.key --with-libevent --with-libnghttp2 --with-pyunbound
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1l  24 Aug 2021
Linked modules: dns64 cachedb subnetcache respip validator iterator
DNSCrypt feature available
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Additional information Add any other information that you may have gathered about the issue here.

The problem is the line where you include the key file, at the start of your config. The key should be listed in an auto-trust-anchor-file or a trust-anchor-file clause.

Later on, you have both an auto-trust-anchor-file and a trust-anchor-file. Use only one of the two. They have different path names. Use the one that is the correct key and is writable for auto-trust-anchor-file.

Because of the include at the start, the config parser attempts to read that file. That prints the syntax errors.

I included the file because otherwise Unbound tries to create the file in etc/unbound/etc/trusted-key.key instead of /etc/trusted-key.key. So whether directory: "/etc/unbound" is commented out or not.

For the trust-anchor-file: "/etc/unbound/trusted-key.key" line, I actually forgot to comment it out in the post.

I also tried to do this: auto-trust-anchor-file: "/etc/unbound/trusted-key.key" but I have permission problems on the file (even giving read/write permission to all).

You should not do that include. The pathname change that you talk about is likely because of chroot, check the chroot setting it has a default and you do not list it in the config. The default depends on the distro you use, and that also sets in some cases lots of systemd settings, and permissions profiles, like apparmor, selinux. Those are likely interfering with the permissions. That is what you then need to solve, the permissions problem.

Thank you for the answer. I have disabled Apparmor's Unbound profile and uncommented the 'chroot' line without success on the rights. I won't insist here. However, I still have a question if you allow me. I use Unbound on my personal computer and I am the only user.

Can you tell me if I forgot to add security settings in the conf file? Or on the contrary, if I have added potential vulnerabilities?

server:
     include: /etc/unbound/blacklist
    verbosity: 0
     statistics-interval: 0
     num-threads: 8
     interface: 127.0.0.1
     interface: ::1
     port: 53
     outgoing-range: 78
     so-rcvbuf: 0
     so-sndbuf: 0
     so-reuseport: yes
     edns-buffer-size: 1232
     stream-wait-size: 7m
     msg-cache-size: 32m
     msg-cache-slabs: 8
     num-queries-per-thread: 1024
     rrset-cache-size: 64m
     rrset-cache-slabs: 8
     cache-min-ttl: 86400
     cache-max-ttl: 172800
     infra-cache-slabs: 8
     infra-cache-numhosts: 30000
     do-ip4: yes
     do-ip6: no
     do-udp: yes
     do-tcp: yes
     use-systemd: no
     access-control: 0.0.0.0/0 refuse
     access-control: 127.0.0.0/8 allow
     access-control: ::0/0 refuse
     access-control: ::1/128 allow
     chroot: "/etc/unbound"
     username: "unbound"
     directory: "/etc/unbound"
     use-syslog: no
     log-time-ascii: no
     log-queries: no
     log-replies: no
     log-tag-queryreply: no
     log-local-actions: no
     log-servfail: no
     root-hints: "root.hints"
     hide-identity: yes
     hide-version: yes
     hide-http-user-agent: yes
     harden-glue: yes
     harden-dnssec-stripped: yes
     harden-below-nxdomain: yes
     harden-algo-downgrade: no
     qname-minimisation: yes
     aggressive-nsec: yes
     use-caps-for-id: yes
     private-address: 10.0.0.0/8
     private-address: 192.168.0.0/16
     private-address: fd00::/8
     private-address: fe80::/10
     private-address: ::ffff:0:0/96
     unwanted-reply-threshold: 10000000
     do-not-query-localhost: no
     prefetch: yes
     prefetch-key: yes
     minimal-responses: yes
     disable-dnssec-lame-check: no
     module-config: "validator iterator"
     root-key-sentinel: yes
    trust-anchor-file: "/etc/unbound/trusted-key.key"
     val-clean-additional: yes
     key-cache-size: 128m
     key-cache-slabs: 8
     tls-service-key: "/etc/unbound/unbound_server.key"
     tls-service-pem: "/etc/unbound/unbound_server.pem"
     tls-port: 853
     tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
     tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
     pad-responses: yes
     tls-use-sni: yes
     tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
python:
dynlib:
remote-control:
     control-enable: yes
     control-interface: 127.0.0.1
 forward-zone:
    name: "quad9.com"
    forward-addr: 9.9.9.9@853
    forward-addr: 149.112.112.112@853
    forward-first: yes
    forward-tls-upstream: yes

There seem to be no problems with your config, but it is possible to set the TLS authentication name for the forward-addr and you have not set it. This is how you set that:

    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net

Other than that the config should work, also for the trust anchor that looks fine. That still gives permission problems? It is listed once, and not as an include and it is inside the chroot. So that looks a lot better than before.

Thanks for taking some time :) If I replace tust-anchor with auto-trust-anchor, I get this error in systemctl:

Dec 15 18:56:34 laptop unbound[26580]: [1639590994] unbound[26580:0] fatal error: could not open autotrust file for writing, /trusted-key.key.26580-0-55aed4275330: Permission denied

-rw-r----- 1 root    wheel 22023792 15 déc.  00:15 blacklist
drwxr-xr-x 2 root    root      4096  4 juin   2021 dev
-rw-r----- 1 root    wheel   397620 15 déc.  07:15 google.conf
-rw-r--r-- 1 root    wheel     3314 29 nov.  01:36 root.hints
drwxr-xr-x 2 root    root      4096  4 juin   2021 run
-rw-rw---- 1 unbound root       738 12 déc.  02:02 trusted-key.key
-rw-r----- 1 root    wheel    46808 15 déc.  19:05 unbound.conf
-rw-r----- 1 root    wheel    46442 24 nov.  04:03 unbound.conf.save
-rw------- 1 root    root      2455  4 juin   2021 unbound_control.key
-rw-r----- 1 root    root      1411  4 juin   2021 unbound_control.pem
-rw------- 1 root    root      2455  4 juin   2021 unbound_server.key
-rw-r----- 1 root    root      1549  4 juin   2021 unbound_server.pem

Regards.

EDIT: I just noticed that with the 'chroot' parameter enabled, I no longer have DNSSEC validation.

unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net

returns to me:

[1639595853] libunbound[61944:0] error: error opening file /trusted-key.key: No such file or directory
[1639595853] libunbound[61944:0] error: error reading trust-anchor-file: /etc/unbound/trusted-key.key
[1639595853] libunbound[61944:0] error: validator: error in trustanchors config
[1639595853] libunbound[61944:0] error: validator: could not apply configuration settings.
[1639595853] libunbound[61944:0] error: module init for module validator failed
resolve error: initialization failure

No errors if I comment out the 'chroot' line.

If I manually load the file /etc/unbound/trusted-key.key, the rights change to

-rw------- 1 root root       758 15 déc.  20:12 trusted-key.key

So, what are the permissions on the directory itself? It needs access to that to create the temporary file that it tries to write to? You do not list that in your ls. Perhaps that is your problem.

Then the file not found with chroot. That is weird, since the file is inside the directory. That it then does not exist. Did you adjust the chroot line in some way? If you comment out you get the default chroot location, so I the string is edited when it is not commented out? The setting "" makes chroot turn off, by default it is turned on.

Okay wait, you post errors from unbound-host -C, that is using the library call, is not the same as starting unbound. So never mind that.

@wcawijngaards: Do you have any idea why the rights of the /etc/unbound/trusted-key.key file change when I update it (unbound-anchor)? Maybe it' s what is blocking with 'auto-trust' too?

I put the full functional rights just in case (without 'chroot' option):

total 22M
drwxr-xr-x  4 root root  4,0K 17 déc.  20:37 .
drwxr-xr-x 69 root root  4,0K 17 déc.  22:37 ..
-rw-r-----  1 root wheel  21M 17 déc.  22:36 blacklist
drwxr-xr-x  2 root root  4,0K  4 juin   2021 dev
-rw-r-----  1 root wheel 389K 17 déc.  00:55 google
-rw-r--r--  1 root wheel 3,3K 15 déc.  23:29 root.hints
drwxr-xr-x  2 root root  4,0K  4 juin   2021 run
-rw-r--r--  1 root root   757 17 déc.  20:37 trusted-key.key
-rw-r-----  1 root wheel  46K 16 déc.  01:55 unbound.conf
-rw-r-----  1 root wheel  46K 24 nov.  04:03 unbound.conf.save
-rw-------  1 root root  2,4K  4 juin   2021 unbound_control.key
-rw-r-----  1 root root  1,4K  4 juin   2021 unbound_control.pem
-rw-------  1 root root  2,4K  4 juin   2021 unbound_server.key
-rw-r-----  1 root root  1,6K  4 juin   2021 unbound_server.pem
-rw-r-----  1 root wheel  281 16 déc.  02:12 whitelist

NLnetLabs / unbound

auto-trust-anchor don't work #585