| Summary: | danetool uses a hardcoded root.key file in wrong format | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Wouters <pwouters> |
| Component: | gnutls | Assignee: | Nikos Mavrogiannopoulos <nmavrogi> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | jorton, nmavrogi, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | gnutls-3.1.17-3.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-17 19:13:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
In my system unbound-libs is installed but /var/lib/libunbound/root.anchor does not exist. Is there a way to require its presence? I should have checked more carefully. I suppose you meant: /var/lib/unbound/root.key I'll include a fix on the next update.
The latest unbound-libs is supposed to run a job in %post to fetch the key:
%post libs
/sbin/ldconfig
%{_sbindir}/runuser --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.key -c %{_sysconfdir}/unbound/icannbundle.pem" --shell /bin/sh unbound ||:
gnutls-3.1.17-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/gnutls-3.1.17-3.fc20 Package gnutls-3.1.17-3.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-3.1.17-3.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22805/gnutls-3.1.17-3.fc20 then log in and leave karma (feedback). gnutls-3.1.17-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Version-Release number of selected component (if applicable): gnutls-3.1.11-1.fc19.x86_64 $ danetool --check fedoraproject.org --proto tcp --port 443 Querying fedoraproject.org (tcp:443)... [1380206085] libunbound[25382:0] error: parse error in /etc/unbound/root.key:6 : Syntax error, could not parse the RR's rdata [1380206085] libunbound[25382:0] error: error reading trust-anchor-file: /etc/unbound/root.key [1380206085] libunbound[25382:0] error: validator: error in trustanchors config [1380206085] libunbound[25382:0] error: validator: could not apply configuration settings. [1380206085] libunbound[25382:0] error: module init for module validator failed danetool: dane_query_tlsa: There was an error while resolving. $ cat /etc/unbound/root.key ; // The root key in bind format. This can be read by most tools, including ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this trusted-keys { "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036 }; $ cat //var/lib/unbound/root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1380206290 ;;Thu Sep 26 10:38:10 2013 ;;last_success: 1380206290 ;;Thu Sep 26 10:38:10 2013 ;;next_probe_time: 1380245983 ;;Thu Sep 26 21:39:43 2013 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1379364356 ;;Mon Sep 16 16:45:56 2013 $ Either the code needs to use ub_ctx_trustedkeys() or better, it should depend on unbound-libs and use /var/lib/libunbound/root.anchor paul@bofh:~/git/libreswan (master)$