Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option trust_anchor_file is not usable #316

Open
countsudoku opened this issue Jun 15, 2023 · 0 comments · May be fixed by #324
Open

Option trust_anchor_file is not usable #316

countsudoku opened this issue Jun 15, 2023 · 0 comments · May be fixed by #324

Comments

@countsudoku
Copy link

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: (does not matter)
  • Ruby: (does not matter)
  • Distribution: Debian, but doesn't matter either
  • Unbound: 1.9.0
  • Module version: v6.0.0 (and before)

How to reproduce (e.g Puppet code you use)

class { 'unbound':
        trust_anchor_file    => '/usr/share/dns/root.key',
        interface                 => ['0.0.0.0'],
  }

What are you seeing

The unbound.conf cannot be parse anymore, because it contains a auto-trust-anchor-file: and a trust-anchor-file: option:

Error: Execution of '/usr/sbin/unbound-checkconf /etc/unbound/unbound.conf20230615-31967-er7wgp' returned 1: [1686863903] unbound-checkconf[32155:0] er
ror: trust anchor presented twice                                                                                                                      
[1686863903] unbound-checkconf[32155:0] error: could not parse auto-trust-anchor-file /var/lib/unbound/root.key line 2                                 
[1686863903] unbound-checkconf[32155:0] error: error reading auto-trust-anchor-file: /var/lib/unbound/root.key                                         
[1686863903] unbound-checkconf[32155:0] error: validator: error in trustanchors config                                                                 
[1686863903] unbound-checkconf[32155:0] error: validator: could not apply configuration settings.                                                      
[1686863903] unbound-checkconf[32155:0] fatal error: bad config for validator module

What behaviour did you expect instead

Unbound should use my provided trust_anchor_file.

Any additional information you'd like to impart

The part of the template that is responsible for this code is:

puppet-unbound/templates/unbound.conf.erb

Lines 175 to 176 in 825d42a

<%= print_config('trust-anchor-file', @trust_anchor_file) -%>
<%= print_config('auto-trust-anchor-file', @auto_trust_anchor_file) -%>
plus the definitions in the init.pp:

puppet-unbound/manifests/init.pp

Line 113 in 825d42a

Optional[Stdlib::Absolutepath] $trust_anchor_file = undef,
and

puppet-unbound/manifests/init.pp

Line 180 in 825d42a

Stdlib::Absolutepath $auto_trust_anchor_file = "${runtime_dir}/root.key",

So the auto_trust_anchor_file variable is always set and always added to the config file. As soon as a trust_anchor_file is configured there are two "trust-anchor-file" variants in the config file.

I am not sure how you like to fix that: The cleanest option – from my point of view – would be, to make the auto_trust_anchor_file also a Optional and add some input validation, that not both values are set.
b4ldr added a commit to b4ldr/puppet-unbound that referenced this issue Oct 24, 2023
@b4ldr
unbond.conf: prefer trust_anchor_file to auto_trust_anchor_file
cd91914 
The config only supports having trust_anchor_file or
auto_trust_anchor_file.  this updates the code to use trust_anchor_file
if it is set (its undef by default) otherwise use auto_trust_anchor_file
which has a default value.

fixes voxpupuli#316
@b4ldr b4ldr linked a pull request Oct 24, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

unbound.conf: prefer trust_anchor_file to auto_trust_anchor_file b4ldr/puppet-unbound
1 participant
@countsudoku