Bug#989959: unbound: Corrupt/empty trust anchor file is not healed upon start

Wed, 16 Jun 2021 10:00:20 -0700 

Package: unbound
Version: 1.13.1-1
Severity: normal
Tags: patch

I ran out of space on /var and unbound still tried to update the root
trust anchor file which ended up empty.  Then later after reboot the
package-helper failed to detect and recover from that, and
unbound.service failed to start.

With the attached patch (which adds a rudimentary sanity check) and
freshly freed disk space unbound started normally.  However, a better
solution might be to test more carefully for sufficient disk space
when making changes to the file or using 2 oversized files in rotation
and never truncating them.

Regards,
Dennis

P.S.: I also noticed that unbound.service under [Service] defines no
StateDirectory=/var/lib/unbound to ensure that it is mounted on start.

Description: Update the root trust anchor file if it fails a simple sanity check
 This uses sed instead of grep -v to print all non-comment lines as
 the latter adds a newline to its output, and we want to interpret the
 absence of a newline as indicator of corruption.
 .
 The regex could be written more specific, e.g. mention "DNSKEY" etc.
Author: Dennis Filder <d.fil...@web.de>
--- package-helper-orig
+++ package-helper
@@ -78,11 +78,14 @@
     if $ROOT_TRUST_ANCHOR_UPDATE; then
         if [ -n "$ROOT_TRUST_ANCHOR_FILE" ]; then
             if [ -r "$DNS_ROOT_KEY_FILE" ]; then
-                if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" ]; then
+                if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" \
+		       -o "$(sed -n '/^[[:space:]]*[^;]/p' < "$ROOT_TRUST_ANCHOR_FILE" | tr -cd '\n' |wc -c)" -eq 0 ]; then
                     if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" ]; then
                         echo "$ROOT_TRUST_ANCHOR_FILE does not exist, copying from $DNS_ROOT_KEY_FILE"
                     elif [ "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" ]; then
                         echo "Overwriting older file $ROOT_TRUST_ANCHOR_FILE with newer file $DNS_ROOT_KEY_FILE"
+                    elif [ "$(sed -n '/^[[:space:]]*[^;]/p' < "$ROOT_TRUST_ANCHOR_FILE" | tr -cd '\n' |wc -c)" -eq 0 ]; then
+                        echo "Overwriting corrupt/incomplete file $ROOT_TRUST_ANCHOR_FILE with file $DNS_ROOT_KEY_FILE"
                     fi
                     install -m 0644 -o unbound -g unbound "$DNS_ROOT_KEY_FILE" "$ROOT_TRUST_ANCHOR_FILE"
                 fi

Reply via email to