Hi, in the course of looking into the upgrade failure, I ended up purging dnssec-trigger and then installed it again. I notice this creates keys and config files in both /etc/ and /etc/dnssec-trigger?! Different to Alex, I get traceback in the middle of the log (also for subsequent attempts to 'apt-get install -f' etc):
Jan 14 20:51:32 thinkpad systemd[1]: Starting Generate keys and certificates for dnssec-trigger... Jan 14 20:51:32 thinkpad dnssec-trigger-control-setup[6806]: setup in directory /etc Jan 14 20:51:32 thinkpad dnssec-trigger-control-setup[6806]: generating dnssec_trigger_server.key Jan 14 20:51:32 thinkpad dnssec-trigger-control-setup[6806]: Generating RSA private key, 3072 bit long modulus (2 primes) Jan 14 20:51:32 thinkpad dnssec-trigger-control-setup[6806]: .............................................................++++ Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: ..........................................................................................................................................................................++++ Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: e is 65537 (0x010001) Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: generating dnssec_trigger_control.key Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: Generating RSA private key, 3072 bit long modulus (2 primes) Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: ...........++++ Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: .................................................................................................................................++++ Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: e is 65537 (0x010001) Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: create dnssec_trigger_server.pem (self signed certificate) Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: create dnssec_trigger_control.pem (signed client certificate) Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: Signature ok Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: subject=CN = dnssec-trigger-control Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: Getting CA Private Key Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: Setup success. Certificates created. Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: run this script again with -i to: Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: #011- enable remote-control in unbound.conf Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: #011- start unbound-control-setup Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: #011- add root trust anchor to unbound.conf Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: if you have not done this already Jan 14 20:51:33 thinkpad systemd[1]: Started Generate keys and certificates for dnssec-trigger. Jan 14 20:51:33 thinkpad systemd[1]: Starting Reconfigure local DNSSEC resolver on connectivity changes... Jan 14 20:51:33 thinkpad dnssec-trigger-script[6819]: Backing up /etc/resolv.conf as /run/dnssec-trigger/resolv.conf.backup... Jan 14 20:51:33 thinkpad dnssec-triggerd: [6822] info: dnssec-trigger 0.17 start Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: Traceback (most recent call last): Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 774, in <module> Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: main() Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 761, in main Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: Application(sys.argv).run() Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 472, in run Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: self.method() Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 556, in run_setup Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: self._unbound_set_negative_cache_ttl(UNBOUND_MAX_NEG_CACHE_TTL) Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 641, in _unbound_set_negative_cache_ttl Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: subprocess.check_call(CMD, stdout=DEVNULL, stderr=DEVNULL) Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File "/usr/lib/python3.7/subprocess.py", line 347, in check_call Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: raise CalledProcessError(retcode, cmd) Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: subprocess.CalledProcessError: Command '['unbound-control', 'set_option', 'cache-max-negative-ttl:', '5']' returned non-zero exit status 1. Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: chattr: Datei oder Verzeichnis nicht gefunden beim Auslesen des Status von /etc/resolv.conf Jan 14 20:51:34 thinkpad dnssec-triggerd: [6822] error: chmod(/etc/resolv.conf) failed: No such file or directory Jan 14 20:51:34 thinkpad dnssec-triggerd: [6822] error: cannot open /var/run/dnssec-trigger/zones: No such file or directory Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX client cert Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: 139691302409536:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310: Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX client cert Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: 140634252199232:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310: Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX client cert Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: 139941692548416:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310: Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX client cert Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: 140564896728384:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310: Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX client cert Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: 139702998553920:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310: Jan 14 20:51:34 thinkpad kernel: [51521.772186] traps: dnssec-triggerd[6822] general protection ip:563bc6d85c90 sp:7fff2c281de0 error:0 in dnssec-triggerd[563bc6d76000+18000] Jan 14 20:51:34 thinkpad systemd[1]: Started Session c26 of user root. Jan 14 20:51:34 thinkpad systemd[1]: dnssec-triggerd.service: Main process exited, code=dumped, status=11/SEGV Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: Running update all with these connections: Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: { Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "connections": [ Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: { Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "default": true, Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "servers": [ Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "192.168.178.1", Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "fd00::224:feff:fe7e:9c62" Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: ], Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "type": "wifi", Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "zones": [ Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "fritz.box" Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: ] Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: } Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: ] Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: } Jan 14 20:51:34 thinkpad systemd[1]: session-c26.scope: Succeeded. Jan 14 20:51:34 thinkpad systemd[1]: dnssec-triggerd.service: New main PID 6822 does not exist or is a zombie. Jan 14 20:51:34 thinkpad dnssec-trigger-script[6859]: Recovering /etc/resolv.conf... Jan 14 20:51:34 thinkpad dnssec-trigger-script[6859]: Cannot connect to unbound. Jan 14 20:51:34 thinkpad systemd[1]: dnssec-triggerd.service: Failed with result 'core-dump'. Jan 14 20:51:34 thinkpad systemd[1]: Failed to start Reconfigure local DNSSEC resolver on connectivity changes. Florian