to my understanding it is feasible to have DNSSEC served for private
zones in stub-zone, requiring a trusted key entry with the public key
in config - that would be trough > trusted-keys-file: <, right?
Since the authoritative server being Bind 9.13.0 I thought it would make
sense to utilize its zone file straight away for unbound as >
trusted-keys-file: "/var/named/mail.db" <. However, unbound is reporting
/etc/unbound/var/named/mail.db: No such file or directory
[1532614243] unbound-checkconf[2467:0] fatal error: trusted-keys-file:
"/var/named/mail.db" does not exist in chrootdir /etc/unbound
There is no chroot directive in the unbound conf however...
to my understanding it is feasible to have DNSSEC served for private
zones in stub-zone, requiring a trusted key entry with the public key
in config - that would be trough > trusted-keys-file: <, right?
trusted-keys-file reads the BIND syntax for a key statement, but not the
managed 'db' file that has internal BIND stuff for key rotation.
trust-anchor-file is easy: just copy and paste the DNSKEY or DS records
in there. Like, grep DNSKEY example.com.zone > example.com.key
auto-trust-anchor-file enables RFC5011 rotation and keeps track if the
keys are rotated (like, for the root zone that is important).
You can start the auto-trust-anchor-file rotation by providing a file
like for trust-anchor-file: a plain text file with DNSKEY or DS records
in there.
By default chroot is enabled; chroot: "" disables the use of chroot.
to my understanding it is feasible to have DNSSEC served for private
zones in stub-zone, requiring a trusted key entry with the public key
in config - that would be trough > trusted-keys-file: <, right?
trusted-keys-file reads the BIND syntax for a key statement, but not the
managed 'db' file that has internal BIND stuff for key rotation.
What is the purpose of > trusted-keys-file < then compared to >
trust-anchor-file < except for the BIND-9 style format?
Since BIND-9 style format is expressively stated I thought it would
makes sense to utilize the BIND-9 zone file directly but apparently
being a misconception on my part and thus the question of the purpose of
trusted-keys-file <.
trust-anchor-file is easy: just copy and paste the DNSKEY or DS records
in there. Like, grep DNSKEY example.com.zone > example.com.key
auto-trust-anchor-file enables RFC5011 rotation and keeps track if the
keys are rotated (like, for the root zone that is important).
You can start the auto-trust-anchor-file rotation by providing a file
like for trust-anchor-file: a plain text file with DNSKEY or DS records
in there.
By default chroot is enabled; chroot: "" disables the use of chroot.
That is not very clear (to me) from the online documentation:
The default is "/usr/local/etc/unbound". If you give "" no chroot is
performed. <
It implies a default directory but It does not expressively state that
chroot is enabled by default.
You can start the auto-trust-anchor-file rotation by providing a file
like for trust-anchor-file: a plain text file with DNSKEY or DS records
in there.
And the latter reading (copied from the BIND-9 zone file)
mail. 1d IN DS 22205 14 1
0FFE136DCCCFD7879D350A62610193ADA5F18111
mail. 1d IN DS 22205 14 2
816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
and as variation
mail. 1d IN DNSKEY 22205 14 1
0FFE136DCCCFD7879D350A62610193ADA5F18111
mail. 1d IN DNSKEY 22205 14 2
816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
but either way unbound is reporting the below and I do not understand
what the issue (anchor cannot be with and without autotrust) is?
error: anchor cannot be with and without autotrust
error: failed to load trust anchor from
/etc/unbound/mail-trusted-key.key at line 1, skipping
error: anchor cannot be with and without autotrust
error: failed to load trust anchor from
/etc/unbound/mail-trusted-key.key at line 2, skipping
error: failed to read /etc/unbound/mail-trusted-key.key
error: error reading auto-trust-anchor-file:
/etc/unbound/mail-trusted-key.key
error: validator: error in trustanchors config
error: validator: could not apply configuration settings.
fatal error: bad config for validator module
You can start the auto-trust-anchor-file rotation by providing a file
like for trust-anchor-file: a plain text file with DNSKEY or DS records
in there.
And the latter reading (copied from the BIND-9 zone file)
mail. 1d IN DS 22205 14 1
0FFE136DCCCFD7879D350A62610193ADA5F18111
mail. 1d IN DS 22205 14 2
816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
and as variation
mail. 1d IN DNSKEY 22205 14 1
0FFE136DCCCFD7879D350A62610193ADA5F18111
mail. 1d IN DNSKEY 22205 14 2
816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
but either way unbound is reporting the below and I do not understand
what the issue (anchor cannot be with and without autotrust) is?
error: anchor cannot be with and without autotrust
error: failed to load trust anchor from
/etc/unbound/mail-trusted-key.key at line 1, skipping
error: anchor cannot be with and without autotrust
error: failed to load trust anchor from
/etc/unbound/mail-trusted-key.key at line 2, skipping
error: failed to read /etc/unbound/mail-trusted-key.key
error: error reading auto-trust-anchor-file:
/etc/unbound/mail-trusted-key.key
error: validator: error in trustanchors config
error: validator: could not apply configuration settings.
fatal error: bad config for validator module
Looking at autotrust.c seems to be expecting a certain (NSD?) anchor
structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if
not met throwing the error.
I am no coder and cannot make sense of
if(tp) {
if(!tp->autr) {
log_err("anchor cannot be with and without autotrust");
lock_basic_unlock(&tp->lock);
return NULL;
}
The BIND-9 zone file does only provide the aforementioned. Has to be
anything to be done with it to make it compliant with the anchor
structure required by unbound?
You can start the auto-trust-anchor-file rotation by providing a file
like for trust-anchor-file: a plain text file with DNSKEY or DS records
in there.
And the latter reading (copied from the BIND-9 zone file)
mail. 1d IN DS 22205 14 1
0FFE136DCCCFD7879D350A62610193ADA5F18111
mail. 1d IN DS 22205 14 2
816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
and as variation
mail. 1d IN DNSKEY 22205 14 1
0FFE136DCCCFD7879D350A62610193ADA5F18111
mail. 1d IN DNSKEY 22205 14 2
816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
but either way unbound is reporting the below and I do not understand
what the issue (anchor cannot be with and without autotrust) is?
error: anchor cannot be with and without autotrust
error: failed to load trust anchor from
/etc/unbound/mail-trusted-key.key at line 1, skipping
error: anchor cannot be with and without autotrust
error: failed to load trust anchor from
/etc/unbound/mail-trusted-key.key at line 2, skipping
error: failed to read /etc/unbound/mail-trusted-key.key
error: error reading auto-trust-anchor-file:
/etc/unbound/mail-trusted-key.key
error: validator: error in trustanchors config
error: validator: could not apply configuration settings.
fatal error: bad config for validator module
Looking at autotrust.c seems to be expecting a certain (NSD?) anchor
structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if
not met throwing the error.
I am no coder and cannot make sense of
if(tp) {
if(!tp->autr) {
log_err("anchor cannot be with and without autotrust");
lock_basic_unlock(&tp->lock);
return NULL;
}
The BIND-9 zone file does only provide the aforementioned. Has to be
anything to be done with it to make it compliant with the anchor
structure required by unbound?
after a [ dig dnskey ] of the zone amended
"/etc/unbound/mail-trusted-key.key" to
mail. 86156 IN DNSKEY 257 3 14
cFLtBucj9d4f4Yu2S4ATAyj3VElBcDAukQdQaG+Kv47VV+932dU7VZlq
Onl8VKBYU/Z6gRvGYGmkl3bGtaqdcqyjoMWYoXgku+SqMMpZVPHvWqLx ymR1B8+DZ96lXvkW
mail. 86156 IN DNSKEY 256 3 14
lWTX1MIw/HqcBk7nHwAmMvHnlvAVF8L0BZb9Foqi6BiS8qJIDu6j3tP8
ggjkkU2/ISCmJ0Ue1MGQd5jEwT5fKJ1mtESlqYawGODGWmNb8L/wamlQ NVH9QHWav9qfgvc1
but the [ error: anchor cannot be with and without autotrust ] just
keeps on popping up.
Am I doing something wrong or is this a bug in unbound?
Thank you for the suggestion and whilst not the solution it provided the pointer to sort this…
Basically call it my stupidity or ignorance of having copy/pasted in the server directive various zone statements and that including [ domain-insecure: mail ]. After removing it the error gone.
Just to conclude this thread - call it my ignorance of having
copied/pasted in the server directive various zone statements and that
including [ domain-insecure: mail ]. After removing it the error is gone.
You can start the auto-trust-anchor-file rotation by providing a file
like for trust-anchor-file: a plain text file with DNSKEY or DS records
in there.
Unbound wants you to load the trust anchors for a domain in one
statement. Not have them spread over different statements with
different options. That is the error you are referring to.
So, the files you have are fine (make sure the hexadecimal is on one
line with the start of the record, I cannot tell due to mailer
wordwrap). And just load one of them.
You can load multiple files, and have a file for every different domain
for which you want keys.
The bind9 format readup does in fact not confer any benefits, if you
ignore the syntax that it reads. I mean, it uses the same processing as
a plain trust-anchor-file statement. But it reads in a different syntax.
Fixed the documentation in the man page to more clearly state that
chroot is enabled by default. In addition, it lists the default setting
for it as well. If you are using man pages online, that gets updated
when we release a new version, the man page source is already available
in the source code repository.