Bug 232555 - local_unbound fails to start if root.key is empty.
Summary: local_unbound fails to start if root.key is empty.
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.1-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: Dag-Erling Smørgrav
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2018-10-23 09:24 UTC by Ari Suutari
Modified: 2018-11-01 15:42 UTC (History)
2 users (show)

See Also:
des: mfc-stable12+
des: mfc-stable11+
des: mfc-stable10+


Attachments
Patch for /etc/rc.d/local_unbound (300 bytes, patch)
2018-10-23 09:24 UTC, Ari Suutari
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ari Suutari 2018-10-23 09:24:06 UTC
Created attachment 198487 [details]
Patch for /etc/rc.d/local_unbound

It seems to be possible that local_unbound gets into state where /var/unbound/root.key exists but is empty as a result of unclean shutdown.

The command that regenerates the file is unbound-anchor, which rebuilds it if it doesn't exist or it is empty (stated in man page). However, /etc/rc.d/local_unbound doesn't invoke it if root.key exists, even as zero-length file.

This results in situation where the local_unbound service no longer starts, it is also unable to recover from such condition automatically. This leaves the machine without working DNS service:

Oct 23 09:08:39 local-unbound-test unbound: [947:0] notice: init module 0: validator
Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: failed to read /root.key
Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: error reading auto-trust-anchor-file: /var/unbound/root.key
Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: validator: error in trustanchors config
Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: validator: could not apply configuration settings.
Oct 23 09:08:39 local-unbound-test unbound: [947:0] error: module init for module validator failed
Oct 23 09:08:39 local-unbound-test unbound: [947:0] fatal error: failed to setup modules


Simple fix to solution would be the change the rc.d script so that it has same logic as unbound-anchor, ie. run it if the file does not exist OR it is empty.

Patch attached.
Comment 1 commit-hook freebsd_committer 2018-11-01 14:24:22 UTC
A commit references this bug:

Author: des
Date: Thu Nov  1 14:24:12 UTC 2018
New revision: 339995
URL: https://svnweb.freebsd.org/changeset/base/339995

Log:
  Run unbound-anchor when root.key is empty, not just when it is absent.

  PR:		232555
  Submitted by:	Ari Suutari <ari@stonepile.fi>
  MFC after:	3 days

Changes:
  head/libexec/rc/rc.d/local_unbound