Bug 488690

Summary: unbound-checkconf fails until first daemon startup creates control keys
Product: [Fedora] Fedora Reporter: Charles R. Anderson <cra>
Component: unboundAssignee: Paul Wouters <pwouters>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-17 05:43:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Charles R. Anderson 2009-03-05 08:06:24 UTC 
Description of problem:

When first installing unbound and then checking the config with unbound-checkconf (or via dnssec-configure), the check fails since the control keys haven't been created yet.  The init script creates the control keys if they don't exist, but the expected workflow for the user installing and configuring unbound may be to check the config first or indeed use dnssec-conf to configure the server before starting the server for the first time.  The failure is therefore confusing behavior.  It also prevents the ability to use dnssec-conf to configure the server unless you start the server once, then use dnssec-conf to configure it.

Version-Release number of selected component (if applicable):
1.2.1-2.fc11

How reproducible:
always

Steps to Reproduce:
1. start with a fresh system, or remove unbound and delete /etc/unbound/*
2. yum install unbound dnssec-conf
3. dnssec-configure -u --show
4. dnssec-configure -u --dnssec=on --dlv=on
  
Actual results:

#dnssec-configure -u --show
ERROR: syntax check for unbound-checkconf /etc/unbound/unbound.conf failed:/etc/unbound/unbound_server.key: No such file or directory
[1236235660] unbound-checkconf[5972:0] fatal error: server-key-file: "/etc/unbound/unbound_server.key" does not exist

#dnssec-configure -u --dnssec=on --dlv=on
ERROR: syntax check for unbound-checkconf /etc/unbound/unbound.conf failed:/etc/unbound/unbound_server.key: No such file or directory
[1236235595] unbound-checkconf[5968:0] fatal error: server-key-file: "/etc/unbound/unbound_server.key" does not exist


Expected results:
You should be able to configure the server with dnssec-conf before starting it for the first time.  The server config should pass unbound-checkconf before starting the server for the first time.

Additional info:
Not sure how to fix this in the best way, but perhaps packaging zero-length key files or using a %post script that creates zero-length key files would work.  Then the config check could pass, but the init script would notice the zero-length files and re-generate real ones.
Comment 1 Paul Wouters 2009-03-17 05:43:19 UTC 
This is fixed in unbound-1.2.1-5. That also requires dnssec-conf-1.19

dnssec-configure now takes the --nocheck option to avoid this problem. We don't need to generate empty or real key files (might be low on entropy during install) and the checks are there in the default case without --nocheck.

Thanks for the bug report!