search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.14k stars 358 forks source link

unbound-helper root_trust_anchor_update fails without notice what happened #815

Closed emdete closed 1 year ago

emdete commented 1 year ago

Describe the bug

when issuing /usr/libexec/unbound-helper root_trust_anchor_update it may fail (exit code 1) but doesnt tell what happened.

strace shows that it tries (unconditionally it seems, the config has a different path) to read and write to /usr/share/dns/root.key and /usr/share/dns doesnt exist.

To reproduce Steps to reproduce the behavior:

  1. run /usr/libexec/unbound-helper root_trust_anchor_update
  2. alternativly watch what happens with strace /usr/libexec/unbound-helper root_trust_anchor_update

Expected behavior

the file to be generated.

System:

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.7 1 Nov 2022 Linked modules: dns64 python subnetcache respip validator iterator TCP Fastopen feature available



**Additional information**

in fact this are two problems: the wrong path and the missing logging.
Jakker commented 1 year ago

On 29 Dec 2022, at 23:32, M. Dietrich @.***> wrote: Describe the bug

when issuing /usr/libexec/unbound-helper root_trust_anchor_update it may fail (exit code 1) but doesnt tell what happened.

strace shows that it tries (unconditionally it seems, the config has a different path) to read and write to /usr/share/dns/root.key and /usr/share/dns doesnt exist

Unbound-helper is not part of the unbound distribution.

Maintaining the root.key is normally done with unbound-anchor, see man(1) unbound-anchor for details. This suggests that you want to do something like "unbound -a some-path".

To quote man(1) unbound-anchor:

   Suggested usage:

        # in the init scripts.
        # provide or update the root anchor (if necessary)
        unbound-anchor -a "/usr/local/etc/unbound/root.key"
        # Please note usage of this root anchor is at your own risk
        # and under the terms of our LICENSE (see source).
        #
        # start validating resolver
        # the unbound.conf contains:
        #   auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
        unbound -c unbound.conf

jaap
emdete commented 1 year ago

Sorry, in that case it seems to be a debian packaging problem, unbound-anchor is not part of the package it seems.

max-aigner commented 10 months ago

apt install unbound unbound-anchor

DaDummy commented 9 months ago

Looks like there is a packaging mistake in the current Debian package version of unbound-anchor as it does not create the directory /usr/share/dns, which then causes invocations to unbound-anchor to fail.