root.key might be missing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unbound (Debian) |
Fix Released
|
Unknown
|
|||
unbound (Ubuntu) |
Triaged
|
Low
|
Unassigned |
Bug Description
Not the underlying package libunbound2 but only the big DNS resolver package unbound contains a script to install/copy the root.key. If you install just unbound-anchor, unbound-host, or -dev, this does not happen and all tools which rely on libunbound.so might not work.
Steps to Reproduce
1) install Ubuntu 18.04 LTS for Desktop (in my case, Minimal)
2) $ sudo apt remove unbound
3) $ sudo apt install unbound-anchor
4) $ sudo unbound-anchor
Expected Result
This should install a root.key at /var/lib/unbound/, because that is the default location, given unbound-anchor at compile time.
Actual Result
libunbound error: unable to open /var/lib/
libunbound error: error reading auto-trust-
libunbound error: validator: error in trustanchors config
libunbound error: validator: could not apply configuration settings.
libunbound error: module init for module validator failed
Notes
This happens *even* after changing the file
/etc/unbound/
and its "auto-trust-
I am not sure how to solve this. My first guess would be that not the package unbound but the package libunbound2 should install that key file (script root_trust_
Workarounds
A) create the file yourself:
sudo mkdir /var/lib/unbound
sudo cp /usr/share/
B) specify the key of the package dns-root-data as command-line option:
sudo unbound-anchor -a "/usr/share/
I was not able to use this approach for unbound-host.
C) install the whole DNS resolver:
sudo apt install unbound
D) in your own app, instead of one, try two files:
if (0 == access(
status_unbound = ub_ctx_
} else {
status_unbound = ub_ctx_
}
tags: | added: bionic |
Changed in unbound (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in unbound (Debian): | |
status: | Unknown → New |
Changed in unbound (Debian): | |
status: | New → Incomplete |
Changed in unbound (Debian): | |
status: | Incomplete → Fix Released |
Thanks for filing this bug in Ubuntu.
I understand your case: applications linked with libunbound2 will eventually lookup the root.key file, but it's only installed by the unbound server package. I'm not sure what's expected here, to be honest, as I'm not familiar with unbound. What you say does make sense to me, though.
We mostly take this package from Debian as is, only applying small changes regarding apparmor profiles, and it's in Universe, not Main. Would you mind filing this bug in Debian via bugs.debian.org?