Re: unbound dnssec revisited

Mon, 30 Dec 2013 15:16:00 -0800 

On Mon, Dec 30, 2013 at 03:22:34PM -0500, Ted Unangst wrote:
> On Mon, Dec 30, 2013 at 12:10, Chris Smith wrote:
> > I've been working on using dnssec with the unbound package and viewing
> > some of the threads here on the list regarding this.
> > 
> > Enabling autotrust and the validator module in unbound.conf and
> > running unbound-anchor before starting unbound will enable dnssec but
> > eventually will log errors of:
> > 
> > could not open autotrust file for writing
> > 
> > This is apparently because the _unbound user or group does not have
> > write privileges to the directory, running unbound-anchor with "sudo
> > -u _unbound" doesn't change the directory perms.
> 
> That is on purpose. It's very bad for running daemons to have write
> privileges.
> 
> There are a couple solutions. More elaborately, it should use some
> sort of privelege separation code to communicate with another daemon
> if it needs to create new files after startup.
> 
> More simply, can that file be moved to another location? Then we can
> enable write permissions to /var/unbound/etc/autotrust/files/... or
> something, without giving away the keys to the whole kingdom.

Having the root.key in a separate directory works. 
My unbound.conf file:

server:
    verbosity: 1
    interface: 127.0.0.1
    interface: ::1
    root-hints: "named.cache"
    auto-trust-anchor-file: "/var/unbound/etc/autotrust/root.key"
    dlv-anchor-file: "dlv.isc.org.key"

remote-control:
    control-enable: ye


The directory structure and permissions:

# find /var/unbound/etc -ls
1844866    4 drwxr-xr-x    3 root     wheel         512 Dec 30 23:43 
/var/unbound/etc
1844867    4 -rw-r--r--    1 root     wheel         245 Dec 30 23:44 
/var/unbound/etc/unbound.conf
1844870    4 -rw-r-----    1 root     wheel        1281 Feb  6  2011 
/var/unbound/etc/unbound_server.key
1844871    4 -rw-r-----    1 root     wheel        1277 Feb  6  2011 
/var/unbound/etc/unbound_control.key
1844897    8 -rw-r--r--    1 root     wheel        3048 Nov 11 18:31 
/var/unbound/etc/named.cache
1844873    4 -rw-r-----    1 root     wheel         790 Feb  6  2011 
/var/unbound/etc/unbound_server.pem
1844874    4 drwxr-xr-x    2 _unbound _unbound      512 Dec 30 23:45 
/var/unbound/etc/autotrust
1844907    4 -rw-r--r--    1 _unbound _unbound      759 Dec 30 23:45 
/var/unbound/etc/autotrust/root.key
1844875    4 -rw-r-----    1 root     wheel         802 Feb  6  2011 
/var/unbound/etc/unbound_control.pem
1844877    4 -rw-r--r--    1 root     wheel         386 Feb  6  2011 
/var/unbound/etc/dlv.isc.org.key

Reply via email to