Bug 1012494 - danetool uses a hardcoded root.key file in wrong format
danetool uses a hardcoded root.key file in wrong format
Product: Fedora
Classification: Fedora
Component: gnutls (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Nikos Mavrogiannopoulos
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-09-26 10:44 EDT by Paul Wouters
Modified: 2013-12-17 14:13 EST (History)
3 users (show)

See Also:
Fixed In Version: gnutls-3.1.17-3.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-17 14:13:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Wouters 2013-09-26 10:44:16 EDT
Description of problem:

Version-Release number of selected component (if applicable):

$ danetool --check fedoraproject.org --proto tcp --port 443
Querying fedoraproject.org (tcp:443)...
[1380206085] libunbound[25382:0] error: parse error in /etc/unbound/root.key:6 : Syntax error, could not parse the RR's rdata
[1380206085] libunbound[25382:0] error: error reading trust-anchor-file: /etc/unbound/root.key
[1380206085] libunbound[25382:0] error: validator: error in trustanchors config
[1380206085] libunbound[25382:0] error: validator: could not apply configuration settings.
[1380206085] libunbound[25382:0] error: module init for module validator failed
danetool: dane_query_tlsa: There was an error while resolving.

$ cat /etc/unbound/root.key
; // The root key in bind format. This can be read by most tools, including
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
trusted-keys {
"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036


$ cat //var/lib/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1380206290 ;;Thu Sep 26 10:38:10 2013
;;last_success: 1380206290 ;;Thu Sep 26 10:38:10 2013
;;next_probe_time: 1380245983 ;;Thu Sep 26 21:39:43 2013
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1379364356 ;;Mon Sep 16 16:45:56 2013

Either the code needs to use ub_ctx_trustedkeys() or better, it should depend on unbound-libs and use /var/lib/libunbound/root.anchor

paul@bofh:~/git/libreswan (master)$
Comment 1 Nikos Mavrogiannopoulos 2013-11-26 10:33:54 EST
In my system unbound-libs is installed but /var/lib/libunbound/root.anchor does not exist. Is there a way to require its presence?
Comment 2 Nikos Mavrogiannopoulos 2013-11-27 03:47:27 EST
I should have checked more carefully. I suppose you meant: /var/lib/unbound/root.key

I'll include a fix on the next update.
Comment 3 Paul Wouters 2013-11-27 10:37:58 EST

The latest unbound-libs is supposed to run a job in %post to fetch the key:

%post libs
%{_sbindir}/runuser  --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.key -c %{_sysconfdir}/unbound/icannbundle.pem"  --shell /bin/sh unbound ||:
Comment 4 Fedora Update System 2013-12-05 07:01:15 EST
gnutls-3.1.17-3.fc20 has been submitted as an update for Fedora 20.
Comment 5 Fedora Update System 2013-12-05 16:26:10 EST
Package gnutls-3.1.17-3.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.1.17-3.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-12-17 14:13:08 EST
gnutls-3.1.17-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.