[prev in list] [next in list] [prev in thread] [next in thread] 

List:       unbound-users
Subject:    Re: 1.7.3 - local zone trust auto-trust-anchor -> error: anchor cannot be with and without autotrust
From:       ѽ҉ᶬḠvia Unbound-users <unbound-users () unbound ! net>
Date:       2018-07-26 22:22:08
Message-ID: 26e5eca6-ffda-775c-7ff4-5cd509496226 () gmx ! net
[Download RAW message or body]

Just to conclude this thread - call it my ignorance of having
copied/pasted in the server directive various zone statements and that
including [ domain-insecure: mail ]. After removing it the error is gone.=


>>>>> You can start the auto-trust-anchor-file rotation by providing a fi=
le
>>>>> like for trust-anchor-file: a plain text file with DNSKEY or DS rec=
ords
>>>>> in there.
>>>>>
>>>>>
>>> I tried this with (in conf)
>>>
>>> auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
>>> auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key"
>>>
>>> And the latter reading (copied from the BIND-9 zone file)
>>>
>>> mail. 1d IN=C2=A0=C2=A0=C2=A0 DS 22205=C2=A0=C2=A0=C2=A0 14=C2=A0=C2=A0=
=C2=A0 1=C2=A0=C2=A0=C2=A0
>>> 0FFE136DCCCFD7879D350A62610193ADA5F18111
>>> mail. 1d IN=C2=A0=C2=A0=C2=A0 DS 22205=C2=A0=C2=A0=C2=A0 14=C2=A0=C2=A0=
=C2=A0 2=C2=A0=C2=A0=C2=A0
>>> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>>>
>>> and as variation
>>>
>>> mail. 1d IN=C2=A0=C2=A0=C2=A0 DNSKEY 22205=C2=A0=C2=A0=C2=A0 14=C2=A0=
=C2=A0=C2=A0 1=C2=A0=C2=A0=C2=A0
>>> 0FFE136DCCCFD7879D350A62610193ADA5F18111
>>> mail. 1d IN=C2=A0=C2=A0=C2=A0 DNSKEY 22205=C2=A0=C2=A0=C2=A0 14=C2=A0=
=C2=A0=C2=A0 2=C2=A0=C2=A0=C2=A0
>>> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>>>
>>> but either way unbound is reporting the below and I do not understand=

>>> what the issue (anchor cannot be with and without autotrust) is?
>>>
>>> error: anchor cannot be with and without autotrust
>>> error: failed to load trust anchor from
>>> /etc/unbound/mail-trusted-key.key at line 1, skipping
>>> error: anchor cannot be with and without autotrust
>>> error: failed to load trust anchor from
>>> /etc/unbound/mail-trusted-key.key at line 2, skipping
>>> error: failed to read /etc/unbound/mail-trusted-key.key
>>> error: error reading auto-trust-anchor-file:
>>> /etc/unbound/mail-trusted-key.key
>>> error: validator: error in trustanchors config
>>> error: validator: could not apply configuration settings.
>>> fatal error: bad config for validator module
>> Looking at autotrust.c seems to be expecting a certain (NSD?) anchor
>> structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and =
if
>> not met throwing the error.
>> I am no coder and cannot make sense of
>>
>> if(tp) {
>> =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 if(!tp->autr) {
>> =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 log_err("anch=
or cannot be with and without autotrust");
>> =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 lock_basic_un=
lock(&tp->lock);
>> =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 return NULL;
>> =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 }
>>
>> The BIND-9 zone file does only provide the aforementioned. Has to be
>> anything to be done with it to make it compliant with the anchor
>> structure required by unbound?
>>
>>
> after a [ dig dnskey ] of the zone amended
> "/etc/unbound/mail-trusted-key.key" to
>
> mail.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 86156=C2=A0=C2=A0 IN=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 DNSKEY=C2=A0 257 3 14
> cFLtBucj9d4f4Yu2S4ATAyj3VElBcDAukQdQaG+Kv47VV+932dU7VZlq
> Onl8VKBYU/Z6gRvGYGmkl3bGtaqdcqyjoMWYoXgku+SqMMpZVPHvWqLx ymR1B8+DZ96lXv=
kW
> mail.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 86156=C2=A0=C2=A0 IN=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 DNSKEY=C2=A0 256 3 14
> lWTX1MIw/HqcBk7nHwAmMvHnlvAVF8L0BZb9Foqi6BiS8qJIDu6j3tP8
> ggjkkU2/ISCmJ0Ue1MGQd5jEwT5fKJ1mtESlqYawGODGWmNb8L/wamlQ NVH9QHWav9qfgv=
c1
>
> but the [ error: anchor cannot be with and without autotrust ] just
> keeps on popping up.
>
> Am I doing something wrong or is this a bug in unbound?
>
>
>
>


[prev in list] [next in list] [prev in thread] [next in thread]