| Summary: | net-dns/unbound-1.5.1-r2 - DNSSEC anchor placed outside chroot directory | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Simon Siemonsma <simon> |
| Component: | Current packages | Assignee: | Marc Schiffbauer <mschiff> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | CC: | nabeken, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Simon Siemonsma
2016-12-10 19:46:41 UTC
I am sorry, but I think this is not a bug, but a configuration problem: If you use unbound's chrooting feature you have to relocate your trust anchor file so that it is inside your chroot. Or do I miss something here? Please repoen if you still think this is a bug. Thanks! I would expect that when I emerge Unbound the different parts of a standard installation expect critical files at the same location. So I expect that: -when systemctl start/enable unbound -when systemctl start/enable unbound-anchor -running unbound-anchor They all will work with the file location. As it looks now in a standard install everything which handles keeping the anchor up to date looks in /etc/dnssec The process using the anchor looks in /etc/dnssec within a chrooted environment, which is a different location. This doesn't look logical to me. All following options look more logical to me: 1. the processes which update the anchor work in the same chroot 2. the process using the anchor doesn't run chrooted (problably not the best option) 3. in the chrooted environment is some symlink/harlink which links to the anchor outside the chrooted environment (don't know if this is even possible) Option 1 sounds most logical to me. Simon Siemonsma I created a directory /etc/unbound/etc/dnssec made a bind mount to /etc/dnssec chown unbound /etc/dnssec off course in /etc/unbound/unbound.cft uncommented the line: auto-trust-anchor-file: "/etc/dnssec/root-anchors.txt" This seems to work. Some more info on: https://www.unbound.net/documentation/howto_anchor.html Hope this will helpful for someone who is able to make a more elegant solution. Simon The unbound ebuild depends on root-anchor file provided by net-dns/dnssec-root so unbound will be build to use /etc/dnssec/root-anchors.txt by default. Also the defaults that unbound tools are using are configured at build time. If you decide to enable the auto-trust-anchor-file feature so that the root-anchors file will be updated automatically I would recommend not to try to make unbound overwrite the original file /etc/dnssec/root-anchors.txt but use some different path because its not good to auto-update a file owned by another package. At least this might be a bad choice for a default setting in the ebuild. You may rely on the trust-anchor that is provided by the dnssec-root package. All this can only work if you disable unbounds chrooting feature or you otherwise have to copy/mount/link/whatever the trust-anchor file into the chroot like you already described. I agree that this is not an ideal solution. I will think about this some more and maybe come with a saner solution in a later release. Until then I suggest to copy the auto-trust-anchor-file into some subdir like /etc/unbound/var, make the directory and file owned by unbound so that unbound can write into it or let and go this way. However, for a good default configuration we have to find something that will work with chroot enabled out of the box. And using bind mounts here seems not ideal as it would be too invasive. Symlinks will not work with chroot. Hardlinks also would not work because AFAIK the inode will change on root-key update. |
