Bug 222907 - dns/unbound 1.6.6 make install error line 77 plus problem with using service command
Summary: dns/unbound 1.6.6 make install error line 77 plus problem with using service ...
Status: Closed Not A Bug
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jaap Akkerhuis
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-10 17:23 UTC by joeb1
Modified: 2021-03-11 02:24 UTC (History)
3 users (show)

See Also:
jaap: maintainer-feedback+

Attachments
sample quick-start file (4.13 KB, text/plain)
2017-10-10 17:23 UTC, joeb1 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description joeb1 2017-10-10 17:23:22 UTC 
Created attachment 187054 [details]
sample quick-start file

1. Get error msg make: "/usr/ports/MK/Users/ssl.mk" line 77: You are using an unsupported SSL provider openssl

openssl is valid. This is an bug in your make file. The make structure handles this for you automatically.

2. The "service unbound restart" command is not working correctly. It leaves my host in a compromised state. Getting entries in /var/log/auth.log about unsuccessfull ftp and ssh logins even though those inbound ports are blocked by firewall rules.

When unbound started by using this console command 
/usr/local/sbin/unbound -c /usr/local/etc/unbound/unbound.conf
no longer having problems with unsuccessfull ftp and ssh login entries in /var/log/auth.log.  

Local_unbound and unbound should be pretty much configured the same way. But comparing /usr/local/etc/rc.d/unbound  to /etc/rc.d/local_unbound it's very easy to see their completely different.

/usr/local/etc/rc.d/unbound should check the unbound.conf file looking for the auto-trust-anchor-file parameter and if there then do the fetch anchor function otherwise skip it.

3. This port is very user un-friendly. The ports system provides the files to simply change this.

 A. Create a file named quick-start and populate with this text

   Quick unbound setup instructions         
          
   1. In the /etc/rc.conf file
      comment out this if it's there  local_unbound_enable="YES"
      add unbound_enable="YES"
      The built-in local_unbound version can not co-exist with the port
      version of unbound. Select one or the other.
      You will need one host re-boot to enable unbound after completing the
      following steps

   2. Delete the contents of the /etc/resolv.conf and add this line
      nameserver 127.0.0.1
      Then make it immutable using "chflags -R schg /etc/resolv.conf"
      This makes it un-writable by anyone, Contents will never change.
      Use "ls -lo /etc/resolv.conf" to see its flags.
      Use "chflags -R noschg /etc/resolv.conf" to return to normal.
      This stops /etc/resolv.conf being refreshed at boot time with DNS
      information from your ISP over riding the nameserver 127.0.0.1
      statement needed to drive host dns requests to unbound.

   3. If you have a LAN behind this host and want those LAN device's
      DNS requests to also go through the hosts unbound server.
      Change the hosts DHCP server conf file DNS IP address to the
      LAN IP address assigned to the host network adapter the LAN is on.
          
   4. unbound comes with a built-in "root zone" which negates the need 
      for a "forward-zone: section" all together. This built-in 
      "root zone" sends DNS requests to the up-stream public DSN
      servers. Verify that your host firewall doesn't have rules
      restricting port 53 to using only your ISP's DNS IP addresses. 
              
   5. Use  service unbound restart  command after making changes to the 
      content of your unbound.conf file. Note: Any unbound.conf content 
      errors causes the unbound server to not start. This means ALL DNS 
      requests go un-serviced, basically your host system and LAN users 
      are dead in the water until you fix things.
      The  service unbound stop  command results in the same thing. 
             
   6. Take note: The unbound man pages are not FreeBSD specific. 
      Unbound is open source software that runs on many different
      platforms. Some statements and ideas expressed are incorrect based
      on the FreeBSD way of doing things.
     
   7. The /usr/local/etc/unbound/unbound.conf.sample file shows all the
      possible options available in the unbound.conf file. The defaults 
      are designed to create a running unbound server. In most all cases
      the following working unbound.conf file contains the default over
      rides necessary for a working unbound server. 

      Copy the following unbound.conf content to 
      /usr/local/etc/unbound/unbound.conf

  # Start of the working unbound.conf file.
  # Server config section.
              
  server:
           
  # For the unbound port/package version use this
      directory: /usr/local/etc/unbound
      chroot: "/usr/local/etc/unbound"
      chroot: ""    # disable chroot
      pidfile: /usr/local/etc/unbound/unbound.pid
    
  # Specify the interfaces to answer queries from by ip-address.
  # The default is to listen to localhost (127.0.0.1 and ::1) only.
  # Specify 0.0.0.0 and ::0 to bind to all available interfaces.
      interface: ::0        # listen on all ipv6 interfaces
      interface: 0.0.0.0    # listen on all ipv4 interfaces
              
  # Control which clients are allowed to make (recursive) queries
  # to this server. Specify classless netblocks with /size and action.
  # By default everything is refused, except for localhost.
  # Example 10.0.0.0/8 is the ip address block assigned to the LAN.
      access-control: 10.0.0.0/8 allow
      access-control: 127.0.0.0/8 allow 
                  
  # Remote control config section.
  # Remote control must be enabled before the unbound-control(8)
  # command can be used to send commands to the running unbound server.
  # To enable security, execute the unbound-control-setup command 
  # to set up the keys and certificates.
  # This remote-control: section enables remote-control with
  # security disabled for use on this host only.
             
  remote-control:
      control-enable: yes
      control-interface: /var/run/unbound.ctl
      control-use-cert: no
             
 B. Change the Makefile to install the quick-start file into 
    /usr/local/share/doc/unbound/quick-start

 C. Add a pkg-message file to the make files containing this content:
#########################################################################

     For unbound quick setup instructions read;
     /usr/local/share/doc/unbound/quick-start

#########################################################################

Item 3.A.7 above, you may want to just change the Make file to install that unbound.conf file directly into /usr/local/etc/unbound/unbound.conf
Comment 1 Jaap Akkerhuis 2017-10-16 13:51:37 UTC 
I cannot reproduce the problem with the error message and nobody else  seem to have this problem. Are you really using the mentioned file? In that case you are not using a standard ports tree.

I cannot reproduce the messages in auth.log about ssh and ftp. Furthermore,  is no relation between unbound and ssh or ftp so I don;t understand where they could come from.

Since they do not occur when you start unbound outside the service, i suspect the problem lays elsewhere.

Thanks for the suggestions about extra documentation for novice users of the unbound port replacing local_unbound. I rather not take it upon me to maintain extra documentation different from the standard supplied one. Therefore I would like to suggest to ask the upstream to place this into be placed in the user contributions directory.

FYI, unbound is currently at version 1.6.7
Comment 2 joeb1 2017-10-16 19:22:03 UTC 
In reply to your post

---Your post
I cannot reproduce the problem with the error message and nobody else  
seem to have this problem. Are you really using the mentioned file? 
In that case you are not using a standard ports tree.

---My reply
Maybe you can not reproduce because you have a different configuration. 
I'm running 11.1 on real hardware cabled to modem connected to isp. 
Please post your configuration so we can discuess the differances and 
how that may effect the test results.

I was not able to install the port version because of the openssl problem 
I posted about in my orginal post. I installed the package version so the 
sentance above about incorrect port tree content does not apply. 


---Your post
I cannot reproduce the messages in auth.log about ssh and ftp. Furthermore,  
is no relation between unbound and ssh or ftp so I don;t understand 
where they could come from.

---My reply
I have the same wonder about how that is occurring.


---Your post
Since they do not occur when you start unbound outside the service, I suspect the problem lays elsewhere.


---My reply
Yes I agree completely. Test results point directly at how you are starting
unbound using the "service" command as the source of the problem. 
You need to follow through on item #2 of my original post


---Your post
Thanks for the suggestions about extra documentation for novice users of 
the unbound port replacing local_unbound. I rather not take it upon me to 
maintain extra documentation different from the standard supplied one. 
Therefore I would like to suggest to ask the upstream to place this into 
be placed in the user contributions directory


---My reply
I think you have a mis-understanding of your responsibility as the maintainer 
of the unbound port. Your responsible for making the upstream native unbound 
application conform to the methods used by FreeBSD. The documentation provided
is NOT just for novice users, It applies to FreeBSD users of all levels. 
Times are changing, and these days users have expectations of user friendly ports. The era of installing a port and being left with a blank screen, with sink or swim based on the user's individual experience it a thing of the past. It's just plain un-courteous to leave a user hanging without any FreeBSD configuration instructions.
This is a FreeBSD port, and as such it has been missing FreeBSD configuration 
instructions for a very long time. I have provided you with everything you need 
to correct this short comings. The upstream provider has invested a lot time and effort in the unbound software. It's not to much to ask for you to do your part and make this port FreeBSD specific.
Comment 3 berend 2018-01-18 07:20:29 UTC 
I have to agree that this quick-start could help. Provided instructions can be improved somewhat, but definitely will help novice users installing this.
Comment 4 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2018-10-09 20:19:49 UTC 
Addressing only the original complaint:

1. That message is caused by an incorrect setting in your make.conf, not by the dns/unbound port.  It just happens to show up when you try to build a port which, like dns/unbound, relies on OpenSSL.

2. I guarantee you that there is no possible connection between the rc script and attacks on your computer.

3. There is plenty of good documentation available online and in man pages, and this is not what the pkg-message mechanism is intended for.  Besides, the text you offer describes only one of many possible use cases for Unbound, and one which is better served by the local_unbound service than by the port.
Comment 5 commit-hook freebsd_committer freebsd_triage 2021-03-11 02:21:31 UTC 
A commit references this bug:

Author: amdmi3
Date: Thu Mar 11 02:20:33 UTC 2021
New revision: 568064
URL: https://svnweb.freebsd.org/changeset/ports/568064

Log:
  - Update to 19.1.11
  - Reset the maintainer due to 4 consequentional maintainer timeouts

  PR:		222907
  Submitted by:	pfg, kirill@varnakov.com
  Approved by:	maintainer timeout (freebsd@jen20.com, 21 months)

Changes:
  head/databases/cockroach/Makefile
  head/databases/cockroach/distinfo
  head/databases/cockroach/files/patch-src_github.com_cockroachdb_cockroach_pkg_storage_engine_rocksdb.go
  head/databases/cockroach/pkg-descr
Comment 6 Dmitry Marakasov freebsd_committer freebsd_triage 2021-03-11 02:24:14 UTC 
Sorry, the commit is not related to this bug.