On 11.11.2015 21:33, Robert Edmonds wrote:
Paweł Różański wrote:
I run unbound on my laptop with Debian unstable as local DNS cache. After
standard upgrade of pacakges
I noticed, that my DNS resolver does not work anymore. Unbound service does not
run/start. After
enabling debug I found in syslog:
fatal error: could not open autotrust file for writing,
/etc/unbound/root.key.3265-0: Permission denied
Indeed, I used /var/lib/unbound/root.key in 1.4:
ls -ltr /var/lib/unbound/root.key
-rw-r--r-- 1 unbound unbound 759 lis 11 09:44 /var/lib/unbound/root.key
1.5.6 tried to use /etc/unbound/root.key:
ls -ltra /etc/unbound/root.key
-rw-r--r-- 1 root root 759 lis 10 09:33 /etc/unbound/root.key
1.4 probably used conf.d, and 1.5.4 probably does not, as I have
cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
I also checked exactly the same default configuration on previous version -
works with 1.4.
Below is my current, working configuration. The only change is
auto-trust-anchor-file line.
Hi, Paweł:
Unbound by itself doesn't read from /etc/unbound/conf.d.
In version 1.4.19, upstream added support for glob patterns in the
unbound.conf "include" directive:
- include: directive in config file accepts wildcards. Patch from
Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"
However, it caused fatal errors if no files matched the glob pattern.
This bug was fixed in Unbound 1.4.21:
* Fix so that for a configuration line of include: "*.conf" it is not
an error if there are no files matching the glob pattern.
In the Debian unbound 1.4.21-1 package, I added support for reading
additional config snippets from /etc/unbound/conf.d/*.conf and moved the
default auto-trust-anchor-file directive into a separate file in that
directory:
* Add support for .d style configuration in /etc/unbound/unbound.conf.d;
closes: #656549.
* Move auto-trust-anchor-file configuration for the root into the new
/etc/unbound/unbound.conf.d directory.
The conf.d support in the unbound package depends on an explicit
"include" directive appearing in unbound.conf, which was enabled in the
default unbound.conf file shipped in the unbound package:
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
It looks like your unbound.conf file doesn't have this "include"
directive. This means the conf.d config snippets won't be read.
Thank you for detailed explaination.
I do see an explicit "auto-trust-anchor-file" directive in your config file,
though. Did you add this line before or after upgrading to 1.5.6-1?
I added that line after upgrade to 1.5.6.
You might also have been affected by upstream's change in svn r3387, in
Unbound 1.5.x:
- Unbound exits with a fatal error when the auto-trust-anchor-file
fails to be writable. This is seconds after startup. You can
load a readonly auto-trust-anchor-file with trust-anchor-file.
The file has to be writable to notice the trust anchor change,
without it, a trust anchor change will be unnoticed and the system
will then become inoperable.
This change converts what would have been a previously "working" though
run-able config (though without a writable auto trust anchor file) into
a config that fails to start.
We can probably update the Debian package to be built with an explicit
"--with-rootkey-file=/var/lib/unbound/root.key" passed to configure,
which probably would have papered over the issue that you experienced,
though I'm confused as to where the "/etc/unbound/root.key" path could
have been coming from.
I believe configuration file should be modified as below or reading conf.d
should be
restored. Right now service does not work on default configuration and may
disrupt services.
Well, the default configuration on a fresh install looks like the below
console output, and results in the "auto-trust-anchor-file" directive
being set to the right value. That config should definitely work.
edmonds@chase{0}:~$ sudo pbuilder --login
I: Building the build Environment
I: extracting base tarball [/var/cache/pbuilder/base.tgz]
I: copying local configuration
I: mounting /proc filesystem
I: mounting /run/shm filesystem
I: mounting /dev/pts filesystem
I: policy-rc.d already exists
I: entering the shell
File extracted to: /var/cache/pbuilder/build/2801
root@chase:/# apt-get -qyV install unbound
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
libevent-2.0-5 (2.0.21-stable-2+b1)
libexpat1 (2.1.0-7)
libffi6 (3.2.1-3)
libfstrm0 (0.2.0-1)
libprotobuf-c1 (1.1.1-1)
libpython2.7 (2.7.10-5+b1)
libpython2.7-minimal (2.7.10-5+b1)
libpython2.7-stdlib (2.7.10-5+b1)
libssl1.0.2 (1.0.2d-3)
libunbound2 (1.5.6-1)
mime-support (3.59)
openssl (1.0.2d-3)
unbound-anchor (1.5.6-1)
Suggested packages:
ca-certificates (20150426)
Recommended packages:
file (5.25-2)
The following NEW packages will be installed:
libevent-2.0-5 (2.0.21-stable-2+b1)
libexpat1 (2.1.0-7)
libffi6 (3.2.1-3)
libfstrm0 (0.2.0-1)
libprotobuf-c1 (1.1.1-1)
libpython2.7 (2.7.10-5+b1)
libpython2.7-minimal (2.7.10-5+b1)
libpython2.7-stdlib (2.7.10-5+b1)
libssl1.0.2 (1.0.2d-3)
libunbound2 (1.5.6-1)
mime-support (3.59)
openssl (1.0.2d-3)
unbound (1.5.6-1)
unbound-anchor (1.5.6-1)
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 6595 kB of archives.
After this operation, 24.0 MB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ sid/main libffi6 amd64 3.2.1-3 [20.1 kB]
Get:2 http://ftp.us.debian.org/debian/ sid/main libssl1.0.2 amd64 1.0.2d-3
[1278 kB]
Get:3 http://ftp.us.debian.org/debian/ sid/main libevent-2.0-5 amd64
2.0.21-stable-2+b1 [153 kB]
Get:4 http://ftp.us.debian.org/debian/ sid/main mime-support all 3.59 [36.4 kB]
Get:5 http://ftp.us.debian.org/debian/ sid/main libexpat1 amd64 2.1.0-7 [80.0
kB]
Get:6 http://ftp.us.debian.org/debian/ sid/main libfstrm0 amd64 0.2.0-1 [19.0
kB]
Get:7 http://ftp.us.debian.org/debian/ sid/main libprotobuf-c1 amd64 1.1.1-1
[24.5 kB]
Get:8 http://ftp.us.debian.org/debian/ sid/main libpython2.7-minimal amd64
2.7.10-5+b1 [381 kB]
Get:9 http://ftp.us.debian.org/debian/ sid/main libpython2.7-stdlib amd64
2.7.10-5+b1 [1846 kB]
Get:10 http://ftp.us.debian.org/debian/ sid/main libpython2.7 amd64 2.7.10-5+b1
[1065 kB]
Get:11 http://ftp.us.debian.org/debian/ sid/main libunbound2 amd64 1.5.6-1 [325
kB]
Get:12 http://ftp.us.debian.org/debian/ sid/main openssl amd64 1.0.2d-3 [693 kB]
Get:13 http://ftp.us.debian.org/debian/ sid/main unbound-anchor amd64 1.5.6-1
[112 kB]
Get:14 http://ftp.us.debian.org/debian/ sid/main unbound amd64 1.5.6-1 [562 kB]
Fetched 6595 kB in 0s (9953 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libffi6:amd64.
(Reading database ... 13753 files and directories currently installed.)
Preparing to unpack .../libffi6_3.2.1-3_amd64.deb ...
Unpacking libffi6:amd64 (3.2.1-3) ...
Selecting previously unselected package libssl1.0.2:amd64.
Preparing to unpack .../libssl1.0.2_1.0.2d-3_amd64.deb ...
Unpacking libssl1.0.2:amd64 (1.0.2d-3) ...
Selecting previously unselected package libevent-2.0-5:amd64.
Preparing to unpack .../libevent-2.0-5_2.0.21-stable-2+b1_amd64.deb ...
Unpacking libevent-2.0-5:amd64 (2.0.21-stable-2+b1) ...
Selecting previously unselected package mime-support.
Preparing to unpack .../mime-support_3.59_all.deb ...
Unpacking mime-support (3.59) ...
Selecting previously unselected package libexpat1:amd64.
Preparing to unpack .../libexpat1_2.1.0-7_amd64.deb ...
Unpacking libexpat1:amd64 (2.1.0-7) ...
Selecting previously unselected package libfstrm0:amd64.
Preparing to unpack .../libfstrm0_0.2.0-1_amd64.deb ...
Unpacking libfstrm0:amd64 (0.2.0-1) ...
Selecting previously unselected package libprotobuf-c1.
Preparing to unpack .../libprotobuf-c1_1.1.1-1_amd64.deb ...
Unpacking libprotobuf-c1 (1.1.1-1) ...
Selecting previously unselected package libpython2.7-minimal:amd64.
Preparing to unpack .../libpython2.7-minimal_2.7.10-5+b1_amd64.deb ...
Unpacking libpython2.7-minimal:amd64 (2.7.10-5+b1) ...
Selecting previously unselected package libpython2.7-stdlib:amd64.
Preparing to unpack .../libpython2.7-stdlib_2.7.10-5+b1_amd64.deb ...
Unpacking libpython2.7-stdlib:amd64 (2.7.10-5+b1) ...
Selecting previously unselected package libpython2.7:amd64.
Preparing to unpack .../libpython2.7_2.7.10-5+b1_amd64.deb ...
Unpacking libpython2.7:amd64 (2.7.10-5+b1) ...
Selecting previously unselected package libunbound2:amd64.
Preparing to unpack .../libunbound2_1.5.6-1_amd64.deb ...
Unpacking libunbound2:amd64 (1.5.6-1) ...
Selecting previously unselected package openssl.
Preparing to unpack .../openssl_1.0.2d-3_amd64.deb ...
Unpacking openssl (1.0.2d-3) ...
Selecting previously unselected package unbound-anchor.
Preparing to unpack .../unbound-anchor_1.5.6-1_amd64.deb ...
Unpacking unbound-anchor (1.5.6-1) ...
Selecting previously unselected package unbound.
Preparing to unpack .../unbound_1.5.6-1_amd64.deb ...
Unpacking unbound (1.5.6-1) ...
Processing triggers for libc-bin (2.19-22) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (227-2) ...
Setting up libffi6:amd64 (3.2.1-3) ...
Setting up libssl1.0.2:amd64 (1.0.2d-3) ...
Setting up libevent-2.0-5:amd64 (2.0.21-stable-2+b1) ...
Setting up mime-support (3.59) ...
Setting up libexpat1:amd64 (2.1.0-7) ...
Setting up libfstrm0:amd64 (0.2.0-1) ...
Setting up libprotobuf-c1 (1.1.1-1) ...
Setting up libpython2.7-minimal:amd64 (2.7.10-5+b1) ...
Setting up libpython2.7-stdlib:amd64 (2.7.10-5+b1) ...
Setting up libpython2.7:amd64 (2.7.10-5+b1) ...
Setting up libunbound2:amd64 (1.5.6-1) ...
Setting up openssl (1.0.2d-3) ...
Setting up unbound-anchor (1.5.6-1) ...
Setting up unbound (1.5.6-1) ...
Running in chroot, ignoring request.
invoke-rc.d: policy-rc.d denied execution of start.
Processing triggers for libc-bin (2.19-22) ...
Processing triggers for systemd (227-2) ...
root@chase:/# cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
root@chase:/# cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
root@chase:/# unbound-checkconf -o auto-trust-anchor-file
/var/lib/unbound/root.key
root@chase:/#
Indeed, my bad. After uninstalling unbound (purge) and removing
/etc/unbound directory, then installing it again, it looks exactly as
you wrote and works well, so old config file seems to cause the issue.
Still, there will be service disruption of service on upgrade when old
default config is present, and I guess such an operation should be safe
one, especially for such a crucial service as DNS.
Maybe just add check on 1.4.x -> 1.5.x if file pointed in
auto-trust-anchor-file has proper rights and if not, display dialog with
warning that this should be checked? Or just display warning without
that check...
Regards,
Paweł Różański
--
http://rozie.blox.pl/
