Summary: | local_unbound fails to start if root.key is empty. | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Ari Suutari <ari> | ||||
Component: | bin | Assignee: | Dag-Erling Smørgrav <des> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | des, rc | ||||
Priority: | --- | Keywords: | patch | ||||
Version: | 11.1-RELEASE | Flags: | des:
mfc-stable12+
des: mfc-stable11+ des: mfc-stable10+ |
||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
A commit references this bug: Author: des Date: Thu Nov 1 14:24:12 UTC 2018 New revision: 339995 URL: https://svnweb.freebsd.org/changeset/base/339995 Log: Run unbound-anchor when root.key is empty, not just when it is absent. PR: 232555 Submitted by: Ari Suutari <ari@stonepile.fi> MFC after: 3 days Changes: head/libexec/rc/rc.d/local_unbound ^Triage: committed back in 2018. The mfc-stable* flags' values are now OBE. |
Created attachment 198487 [details] Patch for /etc/rc.d/local_unbound It seems to be possible that local_unbound gets into state where /var/unbound/root.key exists but is empty as a result of unclean shutdown. The command that regenerates the file is unbound-anchor, which rebuilds it if it doesn't exist or it is empty (stated in man page). However, /etc/rc.d/local_unbound doesn't invoke it if root.key exists, even as zero-length file. This results in situation where the local_unbound service no longer starts, it is also unable to recover from such condition automatically. This leaves the machine without working DNS service: Oct 23 09:08:39 local-unbound-test unbound: [947:0] notice: init module 0: validator Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: failed to read /root.key Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: error reading auto-trust-anchor-file: /var/unbound/root.key Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: validator: error in trustanchors config Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: validator: could not apply configuration settings. Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: module init for module validator failed Oct 23 09:08:39 local-unbound-test unbound: [947:0] fatal error: failed to setup modules Simple fix to solution would be the change the rc.d script so that it has same logic as unbound-anchor, ie. run it if the file does not exist OR it is empty. Patch attached.