Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#43225 - [unbound] Unable to access trusted-keys due to chroot
Attached to Project:
Community Packages
Opened by Mantas Mikulėnas (grawity) - Thursday, 25 December 2014, 18:06 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 11 January 2015, 22:19 GMT
Opened by Mantas Mikulėnas (grawity) - Thursday, 25 December 2014, 18:06 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 11 January 2015, 22:19 GMT
|
DetailsAfter
[Description] By default Unbound comes configured to chroot into /etc/unbound, but the new rootkey file /etc/trusted-key.key is outside the chroot and therefore unreadable. It means that Unbound won't perform any DNSSEC validation until I manually add 'auto-trust-anchor-file: "root.key"' in unbound.conf and copy the file to /etc/unbound. This is actually worse than the pre- (Also: '--with-rootkey-file' sets up the *auto*-trust-anchor-file option, which means Unbound will periodically update the file using RFC 5011, which might be undesirable from a packaging perspective.) [Possible fix] As much as I'd like having one central place for the root key, it's probably not going to work properly. I suggest dropping '--with-rootkey-file' and instead ensuring that /etc/unbound/root.key exists by default, either by a) running `cp /etc/trusted-key.key "$pkgdir/etc/unbound/root.key"` in package(), b) running `unbound-anchor -a "$pkgdir/etc/unbound/root.key"` in package(), c) adding "ExecStartPre=/usr/bin/unbound-anchor" to unbound.service, or all of the above. That way, both Unbound and gnutls-cli (libunbound) will work correctly. |
This task depends upon
Closed by Gaetan Bisson (vesath)
Sunday, 11 January 2015, 22:19 GMT
Reason for closing: Fixed
Additional comments about closing: unbound-1.5.1-4 in [community]
Sunday, 11 January 2015, 22:19 GMT
Reason for closing: Fixed
Additional comments about closing: unbound-1.5.1-4 in [community]
1) ExecStartPre http://pkgs.fedoraproject.org/cgit/unbound.git/tree/unbound.service
2) cronjob http://pkgs.fedoraproject.org/cgit/unbound.git/tree/unbound.cron
The -c option is optional (hardcoded certificate works too). If the PKGBUILD is reverted, then -a is also optional.
So I feel a little uneasy implementing any of those options.
e) Don't chroot Unbound by default
Yeah, packaging purity is nice (like Firefox using system CAs), but not when it means more work for the end user...