Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#42146 - [unbound] Configure DNSSEC rootkey path for libunbound
Attached to Project:
Community Packages
Opened by Nicolas I. (IooNag) - Saturday, 27 September 2014, 20:59 GMT
Last edited by Gaetan Bisson (vesath) - Tuesday, 30 September 2014, 04:06 GMT
Opened by Nicolas I. (IooNag) - Saturday, 27 September 2014, 20:59 GMT
Last edited by Gaetan Bisson (vesath) - Tuesday, 30 September 2014, 04:06 GMT
|
DetailsShort description:
When compiling gnutls package with DANE support provided by libunbound, DANE verification fails: $ gnutls-cli --dane --port 443 good.dane.verisignlabs.com < /dev/null (...) [1411850793] libunbound[31025:0] error: error opening file /etc/unbound/root.key: No such file or directory [1411850793] libunbound[31025:0] error: error reading trust-anchor-file: /etc/unbound/root.key This bug is fixed by adding "--with-rootkey-file=/etc/trusted-key.key" to ./configure command line in unbound PKGBUILD. Long description: unbound uses /etc/unbound/root.key by default to look for DNSSEC root keys. Arch Linux provides /etc/trusted-key.key in dnssec-anchors package. Usually this is not a problem as the wiki describes how to copy this file to configure DNSSEC validation (https://wiki.archlinux.org/index.php/Unbound#DNSSEC_validation). However for programs using libunbound to perform DNSSEC-related work, like gnutls-cli, there is no such configuration file and /etc/unbound/root.key is used. When this file does not exist, gnutls-cli complains "error: error opening file /etc/unbound/root.key: No such file or directory". There are 2 ways to solve this: either by creating /etc/unbound/root.key (as a symlink to /etc/trusted-key.key for example) or by changing the hard-coded path through configure's --with-rootkey-file option, in unbound package. I personally think the second option is better but I don't care if the maintainer prefer the first one. Additional info: * Architecture: x86_64 * package version(s): unbound 1.4.22-1 * gnutls 3.3.8-2 rebuilt from PKGBUILD (with makepkg) after unbound has been installed (so that ./configure detects libunbound). Steps to reproduce: * Install unbound: "sudo pacman -S unbound" * Download gnutls package from ABS, for example with "yaourt -G gnutls && cd gnutls" * Build and install gnutls: "makepkg -i gnutls" * Check the DANE certificate of a website: "gnutls-cli --dane --port 443 good.dane.verisignlabs.com < /dev/null" * This command fails with "error opening file /etc/unbound/root.key: No such file or directory" Expected results: * Output with "- DANE: Certificate matches." |
This task depends upon
Closed by Gaetan Bisson (vesath)
Tuesday, 30 September 2014, 04:06 GMT
Reason for closing: Implemented
Additional comments about closing: unbound-1.4.22-2 in [community]
Tuesday, 30 September 2014, 04:06 GMT
Reason for closing: Implemented
Additional comments about closing: unbound-1.4.22-2 in [community]
Comment by Gaetan Bisson (vesath) -
Tuesday, 30 September 2014, 04:04 GMT
Thanks for the detailed report!