Your message dated Tue, 19 Apr 2022 18:05:37 +0000
with message-id <[email protected]>
and subject line Bug#989959: fixed in unbound 1.15.0-2
has caused the Debian Bug report #989959,
regarding unbound: Corrupt/empty trust anchor file is not healed upon start
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989959
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unbound
Version: 1.13.1-1
Severity: normal
Tags: patch
I ran out of space on /var and unbound still tried to update the root
trust anchor file which ended up empty. Then later after reboot the
package-helper failed to detect and recover from that, and
unbound.service failed to start.
With the attached patch (which adds a rudimentary sanity check) and
freshly freed disk space unbound started normally. However, a better
solution might be to test more carefully for sufficient disk space
when making changes to the file or using 2 oversized files in rotation
and never truncating them.
Regards,
Dennis
P.S.: I also noticed that unbound.service under [Service] defines no
StateDirectory=/var/lib/unbound to ensure that it is mounted on start.
Description: Update the root trust anchor file if it fails a simple sanity check
This uses sed instead of grep -v to print all non-comment lines as
the latter adds a newline to its output, and we want to interpret the
absence of a newline as indicator of corruption.
.
The regex could be written more specific, e.g. mention "DNSKEY" etc.
Author: Dennis Filder <[email protected]>
--- package-helper-orig
+++ package-helper
@@ -78,11 +78,14 @@
if $ROOT_TRUST_ANCHOR_UPDATE; then
if [ -n "$ROOT_TRUST_ANCHOR_FILE" ]; then
if [ -r "$DNS_ROOT_KEY_FILE" ]; then
- if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" ]; then
+ if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" \
+ -o "$(sed -n '/^[[:space:]]*[^;]/p' < "$ROOT_TRUST_ANCHOR_FILE" | tr -cd '\n' |wc -c)" -eq 0 ]; then
if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" ]; then
echo "$ROOT_TRUST_ANCHOR_FILE does not exist, copying from $DNS_ROOT_KEY_FILE"
elif [ "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" ]; then
echo "Overwriting older file $ROOT_TRUST_ANCHOR_FILE with newer file $DNS_ROOT_KEY_FILE"
+ elif [ "$(sed -n '/^[[:space:]]*[^;]/p' < "$ROOT_TRUST_ANCHOR_FILE" | tr -cd '\n' |wc -c)" -eq 0 ]; then
+ echo "Overwriting corrupt/incomplete file $ROOT_TRUST_ANCHOR_FILE with file $DNS_ROOT_KEY_FILE"
fi
install -m 0644 -o unbound -g unbound "$DNS_ROOT_KEY_FILE" "$ROOT_TRUST_ANCHOR_FILE"
fi
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.15.0-2
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Apr 2022 20:39:12 +0300
Source: unbound
Architecture: source
Version: 1.15.0-2
Distribution: experimental
Urgency: medium
Maintainer: unbound packagers <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 828699 900751 903390 931583 947771 973793 989959 991017
Changes:
unbound (1.15.0-2) experimental; urgency=medium
.
[ Michael Stella ]
* Add clarifying description to resolvconf hook
.
[ Simon Deziel ]
* debian/unbound.init: ask start-stop-daemon to remove the PID file
when stopping the daemon. Closes: #947771
.
[ Michael Tokarev ]
* d/changelog: mention #1000201 closed by 1.15.0-1
* d/changelog: mention install-pkgconfig-in-lib-not-all.patch in 1.15.0-1
* stop resetting permissions of unbound resovconf hook from ancient
pre-jessie (<<1.5.8-1) version
* stop removing ancient pre-jessie (<<1.5.7-2) /etc/default/unbound conffile
* add DEP12 d/upstream/metadata
* d/rules: stop adding --as-needed linker flag (it is the default now)
* stop flipping default value for remote-control: control-enable to "yes"
(see the NEWS file) (Closes: #991017)
* enable TCP Fast-Open (TFO) for both client and server (Closes: #903390)
This can be configured in /proc/sys/net/ipv4/tcp_fastopen (bitmask):
0x01 is client-side (enabled by default), 0x02 is server-side (disabled).
To enable tfo for both client and server, enable both bits.
* enable DNS over HTTP (DoH) for the server. This adds libnghttp2-dev
to Build-Depends (Closes: #973793)
* add source lintian-override to shut up a false positive (windows binary)
* d/unbound-helper: rename from package-helper and move it from subdir in
/usr/lib/unbound/ to /usr/libexec/unbound-helper.
* d/unbound-helper: rework updating of the unbound copy of the root.key file:
copy it to /var/lib/unbound/root.key.tmp first and rename to ..../root.key
only when done. Also do not do it as root in an untrusted directory.
(Closes: #989959)
* d/unbound-helper: do not perform chroot setup operations if chroot is
not configured in the config file
* d/unbound-helper: perform /run/systemd/notify bind-mount for any chroot
if configured, not only for non-standard chroot which needs a copy of
all config files. Closes: #931583, Actually closes: #828699.
* d/unbound-helper: other cleanups
* d/unbound.init: set PATH={,/usr}/{,s}bin. Closes: #900751
* d/unbound.init: stop hiding update_trust_anchor messages and use "unbound"
tag for logging them
* d/control: since unbound does not use unbound-anchor directly anymore,
drop the Depends
* d/control: move openssl from Depends to Recommends. It is used only to
generate remove-control keys for unbound-control, once, usually at the
install time (in postinst) and never used after install. Also check if
openssl is installed and print a friendly error message in
unbound-control-setup if it is not. This is done in a new patch,
unbound-control-setup-check-openssl.patch
* d/control: move dns-root-data from Depends to Recommends. It is only
used for root.key currently (in unbound-helper) and even there, once
it is initially copied to unbound library directory, this file will
be managed by unbound itself using RFC 5011 trust anchor tracking.
So this package can be removed if necessary, without harming unbound.
Checksums-Sha1:
68e7b6ddd5af8bad88aa17751f128cdd803c50c8 2774 unbound_1.15.0-2.dsc
cfd60adf7528b8a66d64d6e697513b30b137f8f4 23776 unbound_1.15.0-2.debian.tar.xz
bd89c2af37cb7dbd00285882b75779d33dd068d9 7641 unbound_1.15.0-2_source.buildinfo
Checksums-Sha256:
05cd6b40c5809f4e521fdbac57f389d14d627596b01f3eaa2bb42d5ae4492329 2774
unbound_1.15.0-2.dsc
85d00426a2e6c47b9c6bde4dab561f2766a12f8cdf1c31c2d643ad8ab26ba20f 23776
unbound_1.15.0-2.debian.tar.xz
2cef6266f0530ca000fcf93e20679c8816902eb85f9f29ec621816c46e4ab80c 7641
unbound_1.15.0-2_source.buildinfo
Files:
fa98b7fdf50e641b7738d5c3fb2d890c 2774 net optional unbound_1.15.0-2.dsc
a2bed06c6747fa6c1a1df553f72f2c93 23776 net optional
unbound_1.15.0-2.debian.tar.xz
f8bf43b762e93aa374b6a5bd5eda11e1 7641 net optional
unbound_1.15.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmJe9BEPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZZXYIALYW8UU5cbnUCXD9OsqMODKJ5rR46C1/vLG8
ENsUhWpO4T9eUht/6i8HSfIGsOlTjJ3xZAH0kWSRkz7uQOf1kY9KRdvblm+jML6F
A72+GrDxPzxqee5IWLoRHlhHH9INu5ggnzqvv+sfRTURuuEeiA11ReN/yQHbfHeX
jyQCbOr2r6rbk9ifK9ybftVearm1TSOSubdZTNsq4EUsxUMnNdz4AZkDpNbUl+Rl
3DGexdqCBL2k/N6jzhZEhyh8DjF1EgO2Ff2i3+JumQBVvHfJbS33XJosEjtGz+vR
8QcmXvyBz8v6tgTGv2B/4YEarvIoxKJB6goY32WWITwrz4ln+5g=
=ywsy
-----END PGP SIGNATURE-----
--- End Message ---
