[Pkg-dns-devel] Bug#804752: Bug#804752: unbound: After upgrade to 1.5.6, unbound does not start on default configuration.

Robert Edmonds edmonds at debian.org
Wed Nov 11 20:33:41 UTC 2015 

Paweł Różański wrote:
> I run unbound on my laptop with Debian unstable as local DNS cache. After standard upgrade of pacakges
> I noticed, that my DNS resolver does not work anymore. Unbound service does not run/start. After
> enabling debug I found in syslog:
> fatal error: could not open autotrust file for writing, /etc/unbound/root.key.3265-0: Permission denied
> 
> Indeed, I used /var/lib/unbound/root.key in 1.4:
> ls -ltr /var/lib/unbound/root.key
> -rw-r--r-- 1 unbound unbound 759 lis 11 09:44 /var/lib/unbound/root.key
> 
> 1.5.6 tried to use /etc/unbound/root.key:
> ls -ltra /etc/unbound/root.key
> -rw-r--r-- 1 root root 759 lis 10 09:33 /etc/unbound/root.key
> 
> 1.4 probably used conf.d, and 1.5.4 probably does not, as I have
> cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf 
> server:
>     # The following line will configure unbound to perform cryptographic
>     # DNSSEC validation using the root trust anchor.
>     auto-trust-anchor-file: "/var/lib/unbound/root.key"
> 
> I also checked exactly the same default configuration on previous version - works with 1.4.
> 
> Below is my current, working configuration. The only change is auto-trust-anchor-file line.

Hi, Paweł:

Unbound by itself doesn't read from /etc/unbound/conf.d.

In version 1.4.19, upstream added support for glob patterns in the
unbound.conf "include" directive:

    -   include: directive in config file accepts wildcards. Patch from
    Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"

However, it caused fatal errors if no files matched the glob pattern.
This bug was fixed in Unbound 1.4.21:

    * Fix so that for a configuration line of include: "*.conf" it is not
    an error if there are no files matching the glob pattern.

In the Debian unbound 1.4.21-1 package, I added support for reading
additional config snippets from /etc/unbound/conf.d/*.conf and moved the
default auto-trust-anchor-file directive into a separate file in that
directory:

  * Add support for .d style configuration in /etc/unbound/unbound.conf.d;
    closes: #656549.
  * Move auto-trust-anchor-file configuration for the root into the new
    /etc/unbound/unbound.conf.d directory.

The conf.d support in the unbound package depends on an explicit
"include" directive appearing in unbound.conf, which was enabled in the
default unbound.conf file shipped in the unbound package:

    # Unbound configuration file for Debian.
    #
    # See the unbound.conf(5) man page.
    #
    # See /usr/share/doc/unbound/examples/unbound.conf for a commented
    # reference config file.
    #
    # The following line includes additional configuration files from the
    # /etc/unbound/unbound.conf.d directory.
    include: "/etc/unbound/unbound.conf.d/*.conf"

It looks like your unbound.conf file doesn't have this "include"
directive.  This means the conf.d config snippets won't be read.

I do see an explicit "auto-trust-anchor-file" directive in your config file,
though.  Did you add this line before or after upgrading to 1.5.6-1?

You might also have been affected by upstream's change in svn r3387, in
Unbound 1.5.x:

    - Unbound exits with a fatal error when the auto-trust-anchor-file
      fails to be writable.  This is seconds after startup.  You can
      load a readonly auto-trust-anchor-file with trust-anchor-file.
      The file has to be writable to notice the trust anchor change,
      without it, a trust anchor change will be unnoticed and the system
      will then become inoperable.

This change converts what would have been a previously "working" though
run-able config (though without a writable auto trust anchor file) into
a config that fails to start.

We can probably update the Debian package to be built with an explicit
"--with-rootkey-file=/var/lib/unbound/root.key" passed to configure,
which probably would have papered over the issue that you experienced,
though I'm confused as to where the "/etc/unbound/root.key" path could
have been coming from.

> I believe configuration file should be modified as below or reading conf.d should be
> restored. Right now service does not work on default configuration and may disrupt services.

Well, the default configuration on a fresh install looks like the below
console output, and results in the "auto-trust-anchor-file" directive
being set to the right value.  That config should definitely work.


edmonds at chase{0}:~$ sudo pbuilder --login                                           
I: Building the build Environment
I: extracting base tarball [/var/cache/pbuilder/base.tgz]
I: copying local configuration
I: mounting /proc filesystem
I: mounting /run/shm filesystem
I: mounting /dev/pts filesystem
I: policy-rc.d already exists
I: entering the shell
File extracted to: /var/cache/pbuilder/build/2801

root at chase:/# apt-get -qyV install unbound
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
   libevent-2.0-5 (2.0.21-stable-2+b1)
   libexpat1 (2.1.0-7)
   libffi6 (3.2.1-3)
   libfstrm0 (0.2.0-1)
   libprotobuf-c1 (1.1.1-1)
   libpython2.7 (2.7.10-5+b1)
   libpython2.7-minimal (2.7.10-5+b1)
   libpython2.7-stdlib (2.7.10-5+b1)
   libssl1.0.2 (1.0.2d-3)
   libunbound2 (1.5.6-1)
   mime-support (3.59)
   openssl (1.0.2d-3)
   unbound-anchor (1.5.6-1)
Suggested packages:
   ca-certificates (20150426)
Recommended packages:
   file (5.25-2)
The following NEW packages will be installed:
   libevent-2.0-5 (2.0.21-stable-2+b1)
   libexpat1 (2.1.0-7)
   libffi6 (3.2.1-3)
   libfstrm0 (0.2.0-1)
   libprotobuf-c1 (1.1.1-1)
   libpython2.7 (2.7.10-5+b1)
   libpython2.7-minimal (2.7.10-5+b1)
   libpython2.7-stdlib (2.7.10-5+b1)
   libssl1.0.2 (1.0.2d-3)
   libunbound2 (1.5.6-1)
   mime-support (3.59)
   openssl (1.0.2d-3)
   unbound (1.5.6-1)
   unbound-anchor (1.5.6-1)
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 6595 kB of archives.
After this operation, 24.0 MB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ sid/main libffi6 amd64 3.2.1-3 [20.1 kB]
Get:2 http://ftp.us.debian.org/debian/ sid/main libssl1.0.2 amd64 1.0.2d-3 [1278 kB]
Get:3 http://ftp.us.debian.org/debian/ sid/main libevent-2.0-5 amd64 2.0.21-stable-2+b1 [153 kB]
Get:4 http://ftp.us.debian.org/debian/ sid/main mime-support all 3.59 [36.4 kB]
Get:5 http://ftp.us.debian.org/debian/ sid/main libexpat1 amd64 2.1.0-7 [80.0 kB]
Get:6 http://ftp.us.debian.org/debian/ sid/main libfstrm0 amd64 0.2.0-1 [19.0 kB]
Get:7 http://ftp.us.debian.org/debian/ sid/main libprotobuf-c1 amd64 1.1.1-1 [24.5 kB]
Get:8 http://ftp.us.debian.org/debian/ sid/main libpython2.7-minimal amd64 2.7.10-5+b1 [381 kB]
Get:9 http://ftp.us.debian.org/debian/ sid/main libpython2.7-stdlib amd64 2.7.10-5+b1 [1846 kB]
Get:10 http://ftp.us.debian.org/debian/ sid/main libpython2.7 amd64 2.7.10-5+b1 [1065 kB]
Get:11 http://ftp.us.debian.org/debian/ sid/main libunbound2 amd64 1.5.6-1 [325 kB]
Get:12 http://ftp.us.debian.org/debian/ sid/main openssl amd64 1.0.2d-3 [693 kB]
Get:13 http://ftp.us.debian.org/debian/ sid/main unbound-anchor amd64 1.5.6-1 [112 kB]
Get:14 http://ftp.us.debian.org/debian/ sid/main unbound amd64 1.5.6-1 [562 kB]
Fetched 6595 kB in 0s (9953 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libffi6:amd64.
(Reading database ... 13753 files and directories currently installed.)
Preparing to unpack .../libffi6_3.2.1-3_amd64.deb ...
Unpacking libffi6:amd64 (3.2.1-3) ...
Selecting previously unselected package libssl1.0.2:amd64.
Preparing to unpack .../libssl1.0.2_1.0.2d-3_amd64.deb ...
Unpacking libssl1.0.2:amd64 (1.0.2d-3) ...
Selecting previously unselected package libevent-2.0-5:amd64.
Preparing to unpack .../libevent-2.0-5_2.0.21-stable-2+b1_amd64.deb ...
Unpacking libevent-2.0-5:amd64 (2.0.21-stable-2+b1) ...
Selecting previously unselected package mime-support.
Preparing to unpack .../mime-support_3.59_all.deb ...
Unpacking mime-support (3.59) ...
Selecting previously unselected package libexpat1:amd64.
Preparing to unpack .../libexpat1_2.1.0-7_amd64.deb ...
Unpacking libexpat1:amd64 (2.1.0-7) ...
Selecting previously unselected package libfstrm0:amd64.
Preparing to unpack .../libfstrm0_0.2.0-1_amd64.deb ...
Unpacking libfstrm0:amd64 (0.2.0-1) ...
Selecting previously unselected package libprotobuf-c1.
Preparing to unpack .../libprotobuf-c1_1.1.1-1_amd64.deb ...
Unpacking libprotobuf-c1 (1.1.1-1) ...
Selecting previously unselected package libpython2.7-minimal:amd64.
Preparing to unpack .../libpython2.7-minimal_2.7.10-5+b1_amd64.deb ...
Unpacking libpython2.7-minimal:amd64 (2.7.10-5+b1) ...
Selecting previously unselected package libpython2.7-stdlib:amd64.
Preparing to unpack .../libpython2.7-stdlib_2.7.10-5+b1_amd64.deb ...
Unpacking libpython2.7-stdlib:amd64 (2.7.10-5+b1) ...
Selecting previously unselected package libpython2.7:amd64.
Preparing to unpack .../libpython2.7_2.7.10-5+b1_amd64.deb ...
Unpacking libpython2.7:amd64 (2.7.10-5+b1) ...
Selecting previously unselected package libunbound2:amd64.
Preparing to unpack .../libunbound2_1.5.6-1_amd64.deb ...
Unpacking libunbound2:amd64 (1.5.6-1) ...
Selecting previously unselected package openssl.
Preparing to unpack .../openssl_1.0.2d-3_amd64.deb ...
Unpacking openssl (1.0.2d-3) ...
Selecting previously unselected package unbound-anchor.
Preparing to unpack .../unbound-anchor_1.5.6-1_amd64.deb ...
Unpacking unbound-anchor (1.5.6-1) ...
Selecting previously unselected package unbound.
Preparing to unpack .../unbound_1.5.6-1_amd64.deb ...
Unpacking unbound (1.5.6-1) ...
Processing triggers for libc-bin (2.19-22) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (227-2) ...
Setting up libffi6:amd64 (3.2.1-3) ...
Setting up libssl1.0.2:amd64 (1.0.2d-3) ...
Setting up libevent-2.0-5:amd64 (2.0.21-stable-2+b1) ...
Setting up mime-support (3.59) ...
Setting up libexpat1:amd64 (2.1.0-7) ...
Setting up libfstrm0:amd64 (0.2.0-1) ...
Setting up libprotobuf-c1 (1.1.1-1) ...
Setting up libpython2.7-minimal:amd64 (2.7.10-5+b1) ...
Setting up libpython2.7-stdlib:amd64 (2.7.10-5+b1) ...
Setting up libpython2.7:amd64 (2.7.10-5+b1) ...
Setting up libunbound2:amd64 (1.5.6-1) ...
Setting up openssl (1.0.2d-3) ...
Setting up unbound-anchor (1.5.6-1) ...
Setting up unbound (1.5.6-1) ...
Running in chroot, ignoring request.
invoke-rc.d: policy-rc.d denied execution of start.
Processing triggers for libc-bin (2.19-22) ...
Processing triggers for systemd (227-2) ...
root at chase:/# cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
root at chase:/# cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf 
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
root at chase:/# unbound-checkconf -o auto-trust-anchor-file 
/var/lib/unbound/root.key
root at chase:/# 


-- 
Robert Edmonds
edmonds at debian.org

More information about the pkg-dns-devel mailing list