unbound
unbound copied to clipboard
NLnetLabs
auto-trust-anchor don't work
Describe the bug A clear and concise description of what the bug is.
Hi,
I'm trying to configure Unbound with auto-trust-anchor. I've given the user unbound the rights, but I get errors after running the command # unbound-anchor -va /etc/trusted-key.key:
~ % # unbound-checkconf
/etc/trusted-key.key:1: error: unknown keyword ';'
/etc/trusted-key.key:1: error: unknown keyword 'autotrust'
/etc/trusted-key.key:1: error: unknown keyword 'trust'
/etc/trusted-key.key:1: error: unknown keyword 'anchor'
/etc/trusted-key.key:1: error: unknown keyword 'file'
/etc/trusted-key.key:2: error: unknown keyword ';;id'
/etc/trusted-key.key:2: error: stray ':'
/etc/trusted-key.key:2: error: unknown keyword '.'
/etc/trusted-key.key:2: error: unknown keyword '1'
/etc/trusted-key.key:3: error: unknown keyword ';;last_queried'
/etc/trusted-key.key:3: error: stray ':'
/etc/trusted-key.key:3: error: unknown keyword '1639272900'
/etc/trusted-key.key:3: error: unknown keyword ';;Sun'
/etc/trusted-key.key:3: error: unknown keyword 'Dec'
/etc/trusted-key.key:3: error: unknown keyword '12'
/etc/trusted-key.key:3: error: unknown keyword '02'
/etc/trusted-key.key:3: error: stray ':'
/etc/trusted-key.key:3: error: unknown keyword '35'
/etc/trusted-key.key:3: error: stray ':'
/etc/trusted-key.key:3: error: unknown keyword '00'
/etc/trusted-key.key:3: error: unknown keyword '2021'
/etc/trusted-key.key:4: error: unknown keyword ';;last_success'
/etc/trusted-key.key:4: error: stray ':'
/etc/trusted-key.key:4: error: unknown keyword '1639272900'
/etc/trusted-key.key:4: error: unknown keyword ';;Sun'
/etc/trusted-key.key:4: error: unknown keyword 'Dec'
/etc/trusted-key.key:4: error: unknown keyword '12'
/etc/trusted-key.key:4: error: unknown keyword '02'
/etc/trusted-key.key:4: error: stray ':'
/etc/trusted-key.key:4: error: unknown keyword '35'
/etc/trusted-key.key:4: error: stray ':'
/etc/trusted-key.key:4: error: unknown keyword '00'
/etc/trusted-key.key:4: error: unknown keyword '2021'
/etc/trusted-key.key:5: error: unknown keyword ';;next_probe_time'
/etc/trusted-key.key:5: error: stray ':'
/etc/trusted-key.key:5: error: unknown keyword '1639312824'
/etc/trusted-key.key:5: error: unknown keyword ';;Sun'
/etc/trusted-key.key:5: error: unknown keyword 'Dec'
/etc/trusted-key.key:5: error: unknown keyword '12'
/etc/trusted-key.key:5: error: unknown keyword '13'
/etc/trusted-key.key:5: error: stray ':'
/etc/trusted-key.key:5: error: unknown keyword '40'
/etc/trusted-key.key:5: error: stray ':'
/etc/trusted-key.key:5: error: unknown keyword '24'
/etc/trusted-key.key:5: error: unknown keyword '2021'
/etc/trusted-key.key:6: error: unknown keyword ';;query_failed'
/etc/trusted-key.key:6: error: stray ':'
/etc/trusted-key.key:6: error: unknown keyword '0'
/etc/trusted-key.key:7: error: unknown keyword ';;query_interval'
/etc/trusted-key.key:7: error: stray ':'
/etc/trusted-key.key:7: error: unknown keyword '43199'
/etc/trusted-key.key:8: error: unknown keyword ';;retry_time'
/etc/trusted-key.key:8: error: stray ':'
/etc/trusted-key.key:8: error: unknown keyword '8639'
/etc/trusted-key.key:9: error: unknown keyword '.'
/etc/trusted-key.key:9: error: unknown keyword '86398'
/etc/trusted-key.key:9: error: unknown keyword 'IN'
/etc/trusted-key.key:9: error: unknown keyword 'DNSKEY'
/etc/trusted-key.key:9: error: unknown keyword '257'
/etc/trusted-key.key:9: error: unknown keyword '3'
/etc/trusted-key.key:9: error: unknown keyword '8'
/etc/trusted-key.key:9: error: unknown keyword 'AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU='
/etc/trusted-key.key:9: error: unknown keyword ';{id'
/etc/trusted-key.key:9: error: unknown keyword '='
/etc/trusted-key.key:9: error: unknown keyword '20326'
/etc/trusted-key.key:9: error: unknown keyword '(ksk),'
/etc/trusted-key.key:9: error: unknown keyword 'size'
/etc/trusted-key.key:9: error: unknown keyword '='
/etc/trusted-key.key:9: error: unknown keyword '2048b}'
/etc/trusted-key.key:9: error: unknown keyword ';;state=2'
/etc/trusted-key.key:9: error: unknown keyword '['
/etc/trusted-key.key:9: error: unknown keyword 'VALID'
/etc/trusted-key.key:9: error: unknown keyword ']'
/etc/trusted-key.key:9: error: unknown keyword ';;count=0'
/etc/trusted-key.key:9: error: unknown keyword ';;lastchange=1639272900'
/etc/trusted-key.key:9: error: unknown keyword ';;Sun'
/etc/trusted-key.key:9: error: unknown keyword 'Dec'
/etc/trusted-key.key:9: error: unknown keyword '12'
/etc/trusted-key.key:9: error: unknown keyword '02'
/etc/trusted-key.key:9: error: stray ':'
/etc/trusted-key.key:9: error: unknown keyword '35'
/etc/trusted-key.key:9: error: stray ':'
/etc/trusted-key.key:9: error: unknown keyword '00'
/etc/trusted-key.key:9: error: unknown keyword '2021'
read /etc/unbound/unbound.conf failed: 84 errors in configuration file
Here is my unbound.conf (without comments):
~ % grep -Ev '^[[:blank:]]*#|^$' /etc/unbound/unbound.conf
server:
include: /etc/trusted-key.key
include: /etc/unbound/blacklist
verbosity: 0
statistics-interval: 0
num-threads: 8
interface: 127.0.0.1
interface: ::1
port: 53
outgoing-range: 78
so-rcvbuf: 0
so-sndbuf: 0
so-reuseport: yes
edns-buffer-size: 1232
stream-wait-size: 7m
msg-cache-size: 32m
msg-cache-slabs: 8
num-queries-per-thread: 1024
rrset-cache-size: 64m
rrset-cache-slabs: 8
cache-min-ttl: 86400
cache-max-ttl: 172800
infra-cache-slabs: 8
infra-cache-numhosts: 30000
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
use-systemd: no
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1/128 allow
username: "unbound"
directory: "/etc/unbound"
use-syslog: no
log-time-ascii: no
log-queries: no
log-replies: no
log-tag-queryreply: no
log-local-actions: no
log-servfail: no
root-hints: "root.hints"
hide-identity: yes
hide-version: yes
hide-http-user-agent: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-algo-downgrade: no
qname-minimisation: yes
aggressive-nsec: yes
use-caps-for-id: yes
private-address: 10.0.0.0/8
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
unwanted-reply-threshold: 10000000
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
minimal-responses: yes
disable-dnssec-lame-check: no
module-config: "validator iterator"
auto-trust-anchor-file: "/etc/trusted-key.key"
root-key-sentinel: yes
trust-anchor-file: "/etc/unbound/trusted-key.key"
val-clean-additional: yes
key-cache-size: 128m
key-cache-slabs: 8
tls-service-key: "/etc/unbound/unbound_server.key"
tls-service-pem: "/etc/unbound/unbound_server.pem"
tls-port: 853
tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
pad-responses: yes
tls-use-sni: yes
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
python:
dynlib:
remote-control:
control-enable: yes
control-interface: 127.0.0.1
forward-zone:
name: "quad9.com"
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
forward-first: yes
forward-tls-upstream: yes
To reproduce Steps to reproduce the behavior:
- uncomment 'auto-trust-anchor-file:"/etc/trusted-key.key"'
- restart unbound.service
Expected behavior A clear and concise description of what you expected to happen.
System:
- Unbound version: 1.14.0-1
- OS: Arch
-
unbound -Voutput:
Version 1.14.0
Configure line: --prefix=/usr --sysconfdir=/etc --localstatedir=/var --sbindir=/usr/bin --disable-rpath --enable-dnscrypt --enable-dnstap --enable-pie --enable-relro-now --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --enable-cachedb --with-libhiredis --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc/trusted-key.key --with-libevent --with-libnghttp2 --with-pyunbound
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1l 24 Aug 2021
Linked modules: dns64 cachedb subnetcache respip validator iterator
DNSCrypt feature available
TCP Fastopen feature available
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
Additional information Add any other information that you may have gathered about the issue here.
The problem is the line where you include the key file, at the start of your config. The key should be listed in an auto-trust-anchor-file or a trust-anchor-file clause.
Later on, you have both an auto-trust-anchor-file and a trust-anchor-file. Use only one of the two. They have different path names. Use the one that is the correct key and is writable for auto-trust-anchor-file.
Because of the include at the start, the config parser attempts to read that file. That prints the syntax errors.
I included the file because otherwise Unbound tries to create the file in etc/unbound/etc/trusted-key.key instead of /etc/trusted-key.key.
So whether directory: "/etc/unbound" is commented out or not.
For the trust-anchor-file: "/etc/unbound/trusted-key.key" line, I actually forgot to comment it out in the post.
I also tried to do this: auto-trust-anchor-file: "/etc/unbound/trusted-key.key" but I have permission problems on the file (even giving read/write permission to all).
You should not do that include. The pathname change that you talk about is likely because of chroot, check the chroot setting it has a default and you do not list it in the config. The default depends on the distro you use, and that also sets in some cases lots of systemd settings, and permissions profiles, like apparmor, selinux. Those are likely interfering with the permissions. That is what you then need to solve, the permissions problem.
Thank you for the answer. I have disabled Apparmor's Unbound profile and uncommented the 'chroot' line without success on the rights. I won't insist here. However, I still have a question if you allow me. I use Unbound on my personal computer and I am the only user.
Can you tell me if I forgot to add security settings in the conf file? Or on the contrary, if I have added potential vulnerabilities?
server:
include: /etc/unbound/blacklist
verbosity: 0
statistics-interval: 0
num-threads: 8
interface: 127.0.0.1
interface: ::1
port: 53
outgoing-range: 78
so-rcvbuf: 0
so-sndbuf: 0
so-reuseport: yes
edns-buffer-size: 1232
stream-wait-size: 7m
msg-cache-size: 32m
msg-cache-slabs: 8
num-queries-per-thread: 1024
rrset-cache-size: 64m
rrset-cache-slabs: 8
cache-min-ttl: 86400
cache-max-ttl: 172800
infra-cache-slabs: 8
infra-cache-numhosts: 30000
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
use-systemd: no
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1/128 allow
chroot: "/etc/unbound"
username: "unbound"
directory: "/etc/unbound"
use-syslog: no
log-time-ascii: no
log-queries: no
log-replies: no
log-tag-queryreply: no
log-local-actions: no
log-servfail: no
root-hints: "root.hints"
hide-identity: yes
hide-version: yes
hide-http-user-agent: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-algo-downgrade: no
qname-minimisation: yes
aggressive-nsec: yes
use-caps-for-id: yes
private-address: 10.0.0.0/8
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
unwanted-reply-threshold: 10000000
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
minimal-responses: yes
disable-dnssec-lame-check: no
module-config: "validator iterator"
root-key-sentinel: yes
trust-anchor-file: "/etc/unbound/trusted-key.key"
val-clean-additional: yes
key-cache-size: 128m
key-cache-slabs: 8
tls-service-key: "/etc/unbound/unbound_server.key"
tls-service-pem: "/etc/unbound/unbound_server.pem"
tls-port: 853
tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
pad-responses: yes
tls-use-sni: yes
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
python:
dynlib:
remote-control:
control-enable: yes
control-interface: 127.0.0.1
forward-zone:
name: "quad9.com"
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
forward-first: yes
forward-tls-upstream: yes
There seem to be no problems with your config, but it is possible to set the TLS authentication name for the forward-addr and you have not set it. This is how you set that:
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
Other than that the config should work, also for the trust anchor that looks fine. That still gives permission problems? It is listed once, and not as an include and it is inside the chroot. So that looks a lot better than before.
Thanks for taking some time :) If I replace tust-anchor with auto-trust-anchor, I get this error in systemctl:
Dec 15 18:56:34 laptop unbound[26580]: [1639590994] unbound[26580:0] fatal error: could not open autotrust file for writing, /trusted-key.key.26580-0-55aed4275330: Permission denied
-rw-r----- 1 root wheel 22023792 15 déc. 00:15 blacklist
drwxr-xr-x 2 root root 4096 4 juin 2021 dev
-rw-r----- 1 root wheel 397620 15 déc. 07:15 google.conf
-rw-r--r-- 1 root wheel 3314 29 nov. 01:36 root.hints
drwxr-xr-x 2 root root 4096 4 juin 2021 run
-rw-rw---- 1 unbound root 738 12 déc. 02:02 trusted-key.key
-rw-r----- 1 root wheel 46808 15 déc. 19:05 unbound.conf
-rw-r----- 1 root wheel 46442 24 nov. 04:03 unbound.conf.save
-rw------- 1 root root 2455 4 juin 2021 unbound_control.key
-rw-r----- 1 root root 1411 4 juin 2021 unbound_control.pem
-rw------- 1 root root 2455 4 juin 2021 unbound_server.key
-rw-r----- 1 root root 1549 4 juin 2021 unbound_server.pem
Regards.
EDIT: I just noticed that with the 'chroot' parameter enabled, I no longer have DNSSEC validation.
unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
returns to me:
[1639595853] libunbound[61944:0] error: error opening file /trusted-key.key: No such file or directory
[1639595853] libunbound[61944:0] error: error reading trust-anchor-file: /etc/unbound/trusted-key.key
[1639595853] libunbound[61944:0] error: validator: error in trustanchors config
[1639595853] libunbound[61944:0] error: validator: could not apply configuration settings.
[1639595853] libunbound[61944:0] error: module init for module validator failed
resolve error: initialization failure
No errors if I comment out the 'chroot' line.
If I manually load the file /etc/unbound/trusted-key.key, the rights change to
-rw------- 1 root root 758 15 déc. 20:12 trusted-key.key
So, what are the permissions on the directory itself? It needs access to that to create the temporary file that it tries to write to? You do not list that in your ls. Perhaps that is your problem.
Then the file not found with chroot. That is weird, since the file is inside the directory. That it then does not exist. Did you adjust the chroot line in some way? If you comment out you get the default chroot location, so I the string is edited when it is not commented out? The setting "" makes chroot turn off, by default it is turned on.
Okay wait, you post errors from unbound-host -C, that is using the library call, is not the same as starting unbound. So never mind that.
@wcawijngaards: Do you have any idea why the rights of the /etc/unbound/trusted-key.key file change when I update it (unbound-anchor)?
Maybe it' s what is blocking with 'auto-trust' too?
I put the full functional rights just in case (without 'chroot' option):
total 22M
drwxr-xr-x 4 root root 4,0K 17 déc. 20:37 .
drwxr-xr-x 69 root root 4,0K 17 déc. 22:37 ..
-rw-r----- 1 root wheel 21M 17 déc. 22:36 blacklist
drwxr-xr-x 2 root root 4,0K 4 juin 2021 dev
-rw-r----- 1 root wheel 389K 17 déc. 00:55 google
-rw-r--r-- 1 root wheel 3,3K 15 déc. 23:29 root.hints
drwxr-xr-x 2 root root 4,0K 4 juin 2021 run
-rw-r--r-- 1 root root 757 17 déc. 20:37 trusted-key.key
-rw-r----- 1 root wheel 46K 16 déc. 01:55 unbound.conf
-rw-r----- 1 root wheel 46K 24 nov. 04:03 unbound.conf.save
-rw------- 1 root root 2,4K 4 juin 2021 unbound_control.key
-rw-r----- 1 root root 1,4K 4 juin 2021 unbound_control.pem
-rw------- 1 root root 2,4K 4 juin 2021 unbound_server.key
-rw-r----- 1 root root 1,6K 4 juin 2021 unbound_server.pem
-rw-r----- 1 root wheel 281 16 déc. 02:12 whitelist