Found this in my daily mail:
unbound-an -U root ttyp5 0.02 secs Sun
Oct 6 21:57 (0:00:00.16)
Since I have
auto-trust-anchor-file: "/var/unbound/db/root.key"
in my /var/unbound/etc/unbound.conf, on starting unbound, the rc.d
script runs /usr/sbin/unbound-anchor -v.
Running it manually yields this:
$ doas /usr/sbin/unbound-anchor -v
/var/unbound/db/root.key has content
[1570433629] libunbound[28321:0] fatal error: could not open autotrust file for
writing, /var/unbound/db/root.key.28321-0-1966ee948e00: No such file or
directory
The problem is the following change that came with the update to 1.9.3:
- Add hex print of trust anchor pointer to trust anchor file temp
name to make it unique, for libunbound created multiple contexts.
See
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/unbound/validator/autotrust.c.diff?r1=1.10&r2=1.11
Thus, the unveil code in smallapp/unbound-anchor.c needs some
adjustment.
if (asprintf(&root_anchor_tempfile, "%s.%d-0", root_anchor_file,
getpid()) == -1) {
if(verb) printf("out of memory\n");
exit(0);
}
if (unveil(root_anchor_file, "rwc") == -1)
err(1, "unveil");
if (unveil(root_anchor_tempfile, "rwc") == -1)
err(1, "unveil");
The problem is that tp used for tempfile generation is not yet known at
that point. Not sure how best to deal with this.
