Closed countsudoku closed 2 months ago
class { 'unbound': trust_anchor_file => '/usr/share/dns/root.key', interface => ['0.0.0.0'], }
The unbound.conf cannot be parse anymore, because it contains a auto-trust-anchor-file: and a trust-anchor-file: option:
unbound.conf
auto-trust-anchor-file:
trust-anchor-file:
Error: Execution of '/usr/sbin/unbound-checkconf /etc/unbound/unbound.conf20230615-31967-er7wgp' returned 1: [1686863903] unbound-checkconf[32155:0] er ror: trust anchor presented twice [1686863903] unbound-checkconf[32155:0] error: could not parse auto-trust-anchor-file /var/lib/unbound/root.key line 2 [1686863903] unbound-checkconf[32155:0] error: error reading auto-trust-anchor-file: /var/lib/unbound/root.key [1686863903] unbound-checkconf[32155:0] error: validator: error in trustanchors config [1686863903] unbound-checkconf[32155:0] error: validator: could not apply configuration settings. [1686863903] unbound-checkconf[32155:0] fatal error: bad config for validator module
Unbound should use my provided trust_anchor_file.
trust_anchor_file
The part of the template that is responsible for this code is: https://github.com/voxpupuli/puppet-unbound/blob/825d42ae4475cb86a0e743a58eebb5a2290b0c0c/templates/unbound.conf.erb#L175-L176 plus the definitions in the init.pp: https://github.com/voxpupuli/puppet-unbound/blob/825d42ae4475cb86a0e743a58eebb5a2290b0c0c/manifests/init.pp#L113 and https://github.com/voxpupuli/puppet-unbound/blob/825d42ae4475cb86a0e743a58eebb5a2290b0c0c/manifests/init.pp#L180 So the auto_trust_anchor_file variable is always set and always added to the config file. As soon as a trust_anchor_file is configured there are two "trust-anchor-file" variants in the config file.
init.pp
auto_trust_anchor_file
I am not sure how you like to fix that: The cleanest option – from my point of view – would be, to make the auto_trust_anchor_file also a Optional and add some input validation, that not both values are set.
Optional
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
What are you seeing
The
unbound.confcannot be parse anymore, because it contains aauto-trust-anchor-file:and atrust-anchor-file:option:What behaviour did you expect instead
Unbound should use my provided
trust_anchor_file.Any additional information you'd like to impart
The part of the template that is responsible for this code is: https://github.com/voxpupuli/puppet-unbound/blob/825d42ae4475cb86a0e743a58eebb5a2290b0c0c/templates/unbound.conf.erb#L175-L176 plus the definitions in the
init.pp: https://github.com/voxpupuli/puppet-unbound/blob/825d42ae4475cb86a0e743a58eebb5a2290b0c0c/manifests/init.pp#L113 and https://github.com/voxpupuli/puppet-unbound/blob/825d42ae4475cb86a0e743a58eebb5a2290b0c0c/manifests/init.pp#L180 So theauto_trust_anchor_filevariable is always set and always added to the config file. As soon as atrust_anchor_fileis configured there are two "trust-anchor-file" variants in the config file.I am not sure how you like to fix that: The cleanest option – from my point of view – would be, to make the
auto_trust_anchor_filealso aOptionaland add some input validation, that not both values are set.