I've been working on using dnssec with the unbound package and viewing
some of the threads here on the list regarding this.
Enabling autotrust and the validator module in unbound.conf and
running unbound-anchor before starting unbound will enable dnssec but
eventually will log errors of:
could not open autotrust file for writing
This is apparently because the _unbound user or group does not have
write privileges to the directory, running unbound-anchor with "sudo
-u _unbound" doesn't change the directory perms.
I'm using the following diff to make this all work (you can all
probably improve on it, and please do):
===================================================
--- unbound.orig Mon Dec 30 11:03:51 2013
+++ unbound Mon Dec 30 11:38:19 2013
@@ -8,6 +8,14 @@
. /etc/rc.d/rc.subr
pexp="unbound${daemon_flags:+ ${daemon_flags}}"
+
+autotrust() {
+ chgrp _unbound "/var/unbound/etc"
+ chmod 775 "/var/unbound/etc"
+ sudo -u _unbound /usr/local/sbin/unbound-anchor
+ wait
+}
+
rc_reload=NO
rc_pre() {
@@ -16,6 +24,7 @@
-f /var/unbound/etc/unbound_control.pem ]]; then
unbound-control-setup >/dev/null 2>&1
fi
+ autotrust
}
rc_start() {
===================================================
If the autotrust function is run (it can be commented out if desired)
it retrieves the root.key and gives the _unbound group write
privileges to the /var/unbound/etc directory thereby preventing the
above log errors.
I must admit that I'm not sure about the use of "wait" in the added
autotrust function but if I don't use it unbound will not start the
first time (if there is no root.key file), but will on all subsequent
attempts (seems unbound will try to start before the key is
retrieved).
Also discovered that unbound-anchor can retrieve the root.key without
added DNS support which was a concern posted in an earlier thread. For
example on the box I've been working with Unbound is the DNS provider
and resolve.conf points directly (127.0.0.1) and only to it, but yet
with unbound stopped and no DNS support unbound-anchor will retrieve
the key.
Whether or not to run the autotrust function could also be made more
automatic by testing the unbound.conf file (as was previously posted
in another thread).
And to strongly reiterate that it would be supper to have this product
in base as then it would properly start up before the dhcpd daemon so
that addresses could be assigned via hostnames instead of duplicating
the dotted quad work - if one uses hostname lookups in dhcpd then it
will not start if DNS is not up, workarounds notwithstanding.
Chris
