Re: 1.7.3 - trusted-keys-file location
Hi, Fixed the documentation in the man page to more clearly state that chroot is enabled by default. In addition, it lists the default setting for it as well. If you are using man pages online, that gets updated when we release a new version, the man page source is already available in the source code repository. Best regards, Wouter On 26/07/18 17:34, ѽ҉ᶬḳ℠ via Unbound-users wrote: > That is not very clear (to me) from the online documentation: > >> The default is "/usr/local/etc/unbound". If you give "" no chroot is > performed. < > > It implies a default directory but It does not expressively state that > chroot is enabled by default. > > >> Best regards, Wouter >>> Since the authoritative server being Bind 9.13.0 I thought it would make >>> sense to utilize its zone file straight away for unbound as > >>> trusted-keys-file: "/var/named/mail.db" <. However, unbound is reporting >>> >>> /etc/unbound/var/named/mail.db: No such file or directory >>> [1532614243] unbound-checkconf[2467:0] fatal error: trusted-keys-file: >>> "/var/named/mail.db" does not exist in chrootdir /etc/unbound >>> >>> There is no chroot directive in the unbound conf however...
Re: 1.7.3 - trusted-keys-file location
Hi, On 26/07/18 19:53, ѽ҉ᶬḳ℠ via Unbound-users wrote: You can start the auto-trust-anchor-file rotation by providing a file like for trust-anchor-file: a plain text file with DNSKEY or DS records in there. >> I tried this with (in conf) >> >> auto-trust-anchor-file: "/etc/unbound/trusted-key.key" >> auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key" Unbound wants you to load the trust anchors for a domain in one statement. Not have them spread over different statements with different options. That is the error you are referring to. So, the files you have are fine (make sure the hexadecimal is on one line with the start of the record, I cannot tell due to mailer wordwrap). And just load one of them. You can load multiple files, and have a file for every different domain for which you want keys. The bind9 format readup does in fact not confer any benefits, if you ignore the syntax that it reads. I mean, it uses the same processing as a plain trust-anchor-file statement. But it reads in a different syntax. Best regards, Wouter >> >> And the latter reading (copied from the BIND-9 zone file) >> >> mail. 1d IN DS 22205 14 1 >> 0FFE136DCCCFD7879D350A62610193ADA5F18111 >> mail. 1d IN DS 22205 14 2 >> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA >> >> and as variation >> >> mail. 1d IN DNSKEY 22205 14 1 >> 0FFE136DCCCFD7879D350A62610193ADA5F18111 >> mail. 1d IN DNSKEY 22205 14 2 >> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA >> >> but either way unbound is reporting the below and I do not understand >> what the issue (anchor cannot be with and without autotrust) is? >> >> error: anchor cannot be with and without autotrust >> error: failed to load trust anchor from >> /etc/unbound/mail-trusted-key.key at line 1, skipping >> error: anchor cannot be with and without autotrust >> error: failed to load trust anchor from >> /etc/unbound/mail-trusted-key.key at line 2, skipping >> error: failed to read /etc/unbound/mail-trusted-key.key >> error: error reading auto-trust-anchor-file: >> /etc/unbound/mail-trusted-key.key >> error: validator: error in trustanchors config >> error: validator: could not apply configuration settings. >> fatal error: bad config for validator module > Looking at autotrust.c seems to be expecting a certain (NSD?) anchor > structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if > not met throwing the error. > I am no coder and cannot make sense of > > if(tp) { > if(!tp->autr) { > log_err("anchor cannot be with and without autotrust"); > lock_basic_unlock(>lock); > return NULL; > } > > The BIND-9 zone file does only provide the aforementioned. Has to be > anything to be done with it to make it compliant with the anchor > structure required by unbound? > > >
Re: 1.7.3 - trusted-keys-file location
>>> You can start the auto-trust-anchor-file rotation by providing a file >>> like for trust-anchor-file: a plain text file with DNSKEY or DS records >>> in there. >>> >>> > I tried this with (in conf) > > auto-trust-anchor-file: "/etc/unbound/trusted-key.key" > auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key" > > And the latter reading (copied from the BIND-9 zone file) > > mail. 1d IN DS 22205 14 1 > 0FFE136DCCCFD7879D350A62610193ADA5F18111 > mail. 1d IN DS 22205 14 2 > 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA > > and as variation > > mail. 1d IN DNSKEY 22205 14 1 > 0FFE136DCCCFD7879D350A62610193ADA5F18111 > mail. 1d IN DNSKEY 22205 14 2 > 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA > > but either way unbound is reporting the below and I do not understand > what the issue (anchor cannot be with and without autotrust) is? > > error: anchor cannot be with and without autotrust > error: failed to load trust anchor from > /etc/unbound/mail-trusted-key.key at line 1, skipping > error: anchor cannot be with and without autotrust > error: failed to load trust anchor from > /etc/unbound/mail-trusted-key.key at line 2, skipping > error: failed to read /etc/unbound/mail-trusted-key.key > error: error reading auto-trust-anchor-file: > /etc/unbound/mail-trusted-key.key > error: validator: error in trustanchors config > error: validator: could not apply configuration settings. > fatal error: bad config for validator module Looking at autotrust.c seems to be expecting a certain (NSD?) anchor structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if not met throwing the error. I am no coder and cannot make sense of if(tp) { if(!tp->autr) { log_err("anchor cannot be with and without autotrust"); lock_basic_unlock(>lock); return NULL; } The BIND-9 zone file does only provide the aforementioned. Has to be anything to be done with it to make it compliant with the anchor structure required by unbound?
Re: 1.7.3 - trusted-keys-file location
>> You can start the auto-trust-anchor-file rotation by providing a file >> like for trust-anchor-file: a plain text file with DNSKEY or DS records >> in there. >> >> I tried this with (in conf) auto-trust-anchor-file: "/etc/unbound/trusted-key.key" auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key" And the latter reading (copied from the BIND-9 zone file) mail. 1d IN DS 22205 14 1 0FFE136DCCCFD7879D350A62610193ADA5F18111 mail. 1d IN DS 22205 14 2 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA and as variation mail. 1d IN DNSKEY 22205 14 1 0FFE136DCCCFD7879D350A62610193ADA5F18111 mail. 1d IN DNSKEY 22205 14 2 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA but either way unbound is reporting the below and I do not understand what the issue (anchor cannot be with and without autotrust) is? error: anchor cannot be with and without autotrust error: failed to load trust anchor from /etc/unbound/mail-trusted-key.key at line 1, skipping error: anchor cannot be with and without autotrust error: failed to load trust anchor from /etc/unbound/mail-trusted-key.key at line 2, skipping error: failed to read /etc/unbound/mail-trusted-key.key error: error reading auto-trust-anchor-file: /etc/unbound/mail-trusted-key.key error: validator: error in trustanchors config error: validator: could not apply configuration settings. fatal error: bad config for validator module
Re: 1.7.3 - trusted-keys-file location
>> to my understanding it is feasible to have DNSSEC served for private >> zones in stub-zone, requiring a trusted key entry with the public key >> in config - that would be trough > trusted-keys-file: <, right? > trusted-keys-file reads the BIND syntax for a key statement, but not the > managed 'db' file that has internal BIND stuff for key rotation. What is the purpose of > trusted-keys-file < then compared to > trust-anchor-file < except for the BIND-9 style format? Since BIND-9 style format is expressively stated I thought it would makes sense to utilize the BIND-9 zone file directly but apparently being a misconception on my part and thus the question of the purpose of > trusted-keys-file <. > > trust-anchor-file is easy: just copy and paste the DNSKEY or DS records > in there. Like, grep DNSKEY example.com.zone > example.com.key > auto-trust-anchor-file enables RFC5011 rotation and keeps track if the > keys are rotated (like, for the root zone that is important). > > You can start the auto-trust-anchor-file rotation by providing a file > like for trust-anchor-file: a plain text file with DNSKEY or DS records > in there. > > By default chroot is enabled; chroot: "" disables the use of chroot. That is not very clear (to me) from the online documentation: > The default is "/usr/local/etc/unbound". If you give "" no chroot is performed. < It implies a default directory but It does not expressively state that chroot is enabled by default. > > Best regards, Wouter >> Since the authoritative server being Bind 9.13.0 I thought it would make >> sense to utilize its zone file straight away for unbound as > >> trusted-keys-file: "/var/named/mail.db" <. However, unbound is reporting >> >> /etc/unbound/var/named/mail.db: No such file or directory >> [1532614243] unbound-checkconf[2467:0] fatal error: trusted-keys-file: >> "/var/named/mail.db" does not exist in chrootdir /etc/unbound >> >> There is no chroot directive in the unbound conf however...
Re: 1.7.3 - trusted-keys-file location
Hi, On 26/07/18 16:15, ѽ҉ᶬḳ℠ via Unbound-users wrote: > Hi, > > to my understanding it is feasible to have DNSSEC served for private > zones in stub-zone, requiring a trusted key entry with the public key > in config - that would be trough > trusted-keys-file: <, right? trusted-keys-file reads the BIND syntax for a key statement, but not the managed 'db' file that has internal BIND stuff for key rotation. trust-anchor-file is easy: just copy and paste the DNSKEY or DS records in there. Like, grep DNSKEY example.com.zone > example.com.key auto-trust-anchor-file enables RFC5011 rotation and keeps track if the keys are rotated (like, for the root zone that is important). You can start the auto-trust-anchor-file rotation by providing a file like for trust-anchor-file: a plain text file with DNSKEY or DS records in there. By default chroot is enabled; chroot: "" disables the use of chroot. Best regards, Wouter > > Since the authoritative server being Bind 9.13.0 I thought it would make > sense to utilize its zone file straight away for unbound as > > trusted-keys-file: "/var/named/mail.db" <. However, unbound is reporting > > /etc/unbound/var/named/mail.db: No such file or directory > [1532614243] unbound-checkconf[2467:0] fatal error: trusted-keys-file: > "/var/named/mail.db" does not exist in chrootdir /etc/unbound > > There is no chroot directive in the unbound conf however...