488690 – unbound-checkconf fails until first daemon startup creates control keys

Bug 488690 - unbound-checkconf fails until first daemon startup creates control keys

Summary: unbound-checkconf fails until first daemon startup creates control keys

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	unbound
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Paul Wouters
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-05 08:06 UTC by Charles R. Anderson
Modified:	2009-03-17 05:43 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-03-17 05:43:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Charles R. Anderson 2009-03-05 08:06:24 UTC

Description of problem:

When first installing unbound and then checking the config with unbound-checkconf (or via dnssec-configure), the check fails since the control keys haven't been created yet. The init script creates the control keys if they don't exist, but the expected workflow for the user installing and configuring unbound may be to check the config first or indeed use dnssec-conf to configure the server before starting the server for the first time. The failure is therefore confusing behavior. It also prevents the ability to use dnssec-conf to configure the server unless you start the server once, then use dnssec-conf to configure it.

Version-Release number of selected component (if applicable):
1.2.1-2.fc11

How reproducible:
always

Steps to Reproduce:
1. start with a fresh system, or remove unbound and delete /etc/unbound/*
2. yum install unbound dnssec-conf
3. dnssec-configure -u --show
4. dnssec-configure -u --dnssec=on --dlv=on

Actual results:

#dnssec-configure -u --show
ERROR: syntax check for unbound-checkconf /etc/unbound/unbound.conf failed:/etc/unbound/unbound_server.key: No such file or directory
[1236235660] unbound-checkconf[5972:0] fatal error: server-key-file: "/etc/unbound/unbound_server.key" does not exist

#dnssec-configure -u --dnssec=on --dlv=on
ERROR: syntax check for unbound-checkconf /etc/unbound/unbound.conf failed:/etc/unbound/unbound_server.key: No such file or directory
[1236235595] unbound-checkconf[5968:0] fatal error: server-key-file: "/etc/unbound/unbound_server.key" does not exist

Expected results:
You should be able to configure the server with dnssec-conf before starting it for the first time. The server config should pass unbound-checkconf before starting the server for the first time.

Additional info:
Not sure how to fix this in the best way, but perhaps packaging zero-length key files or using a %post script that creates zero-length key files would work. Then the config check could pass, but the init script would notice the zero-length files and re-generate real ones.

Comment 1 Paul Wouters 2009-03-17 05:43:19 UTC

This is fixed in unbound-1.2.1-5. That also requires dnssec-conf-1.19

dnssec-configure now takes the --nocheck option to avoid this problem. We don't need to generate empty or real key files (might be low on entropy during install) and the checks are there in the default case without --nocheck.

Thanks for the bug report!

Note You need to log in before you can comment on or make changes to this bug.