(In reply to Abhijeet Kasurde from comment #0)
> Description of problem:
> Running unbound-checkconf before starting unbound server throws error 
> 
> [root@server1 ~]# unbound-checkconf 
> /etc/unbound/unbound_server.key: No such file or directory
> [1460972952] unbound-checkconf[1903:0] fatal error: server-key-file:
> "/etc/unbound/unbound_server.key" does not exist
> 
> But if one starts unbound and then runs unbound-checkconf then 
> 
> [root@server1 ~]# systemctl start unbound
> [root@server1 ~]# unbound-checkconf
> unbound-checkconf: no errors in /etc/unbound/unbound.conf

Hi,

the problem description is clear.

> 3. suggest user to create control keys for checking configuration file
> without starting unbound server

I wonder whether we want to keep a patch just to add an additional message to the user. But it is an option indeed.

4. What about running the right service from unbound-checkconf and let the keys be created? Would it be acceptable at all to trigger key creation just by running unbound-checkconf?

I would choose between the two options above or no change at all.

(In reply to Pavel Šimerda (pavlix) from comment #2)
> (In reply to Abhijeet Kasurde from comment #0)
> > Description of problem:
> > Running unbound-checkconf before starting unbound server throws error 
> > 
> > [root@server1 ~]# unbound-checkconf 
> > /etc/unbound/unbound_server.key: No such file or directory
> > [1460972952] unbound-checkconf[1903:0] fatal error: server-key-file:
> > "/etc/unbound/unbound_server.key" does not exist
> > 
> > But if one starts unbound and then runs unbound-checkconf then 
> > 
> > [root@server1 ~]# systemctl start unbound
> > [root@server1 ~]# unbound-checkconf
> > unbound-checkconf: no errors in /etc/unbound/unbound.conf
> 
> Hi,
> 
> the problem description is clear.
> 
> > 3. suggest user to create control keys for checking configuration file
> > without starting unbound server
> 
> I wonder whether we want to keep a patch just to add an additional message
> to the user. But it is an option indeed.

No, we don't want to keep any downstream patches.

> 4. What about running the right service from unbound-checkconf and let the
> keys be created? Would it be acceptable at all to trigger key creation just
> by running unbound-checkconf?

If by "running the right service from unbound-checkconf" you mean executing systemctl from the code, then this is IMHO not something the upstream would accept, as it is distribution and OS specific thing.

I think the error message is clear in a way, that the (default) configuration contains path / name of the key used by the unbound server and the file does not exist.

The man page of unbound.conf says WRT server-key-file option, that "This file is generated by the unbound-control-setup utility."

I think that the error message provides the user enough information to determine that there is some issue with the configuration, specifically that key defined by server-key-file option does not exist. The man page for unbound.conf specifies that the key file is generated by running unbound-control-setup.

Generating the key during package installation is not something we want to do, because it could take extensive time on machines with not enough entropy (e.g. newly created VM).

The best we can do is to write KCS article describing that if the user wants to run unbound-checkconf before starting unbound, then they must run the unbound-keygen.service first.

Please also note that the nbound-checkconf is run before each start of unbound.

> I would choose between the two options above or no change at all.

We have published a solution article for this issue:

https://access.redhat.com/solutions/2356001

We do not plan any changes in the package itself.

*** Bug 1425163 has been marked as a duplicate of this bug. ***