1.7.3 - local zone trust auto-trust-anchor -> error: anchor cannot be with and without autotrust

Thu Jul 26 20:14:38 UTC 2018

>>>> You can start the auto-trust-anchor-file rotation by providing a file
>>>> like for trust-anchor-file: a plain text file with DNSKEY or DS records
>>>> in there.
>>>>
>>>>
>> I tried this with (in conf)
>>
>> auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
>> auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key"
>>
>> And the latter reading (copied from the BIND-9 zone file)
>>
>> mail. 1d IN    DS 22205    14    1   
>> 0FFE136DCCCFD7879D350A62610193ADA5F18111
>> mail. 1d IN    DS 22205    14    2   
>> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>>
>> and as variation
>>
>> mail. 1d IN    DNSKEY 22205    14    1   
>> 0FFE136DCCCFD7879D350A62610193ADA5F18111
>> mail. 1d IN    DNSKEY 22205    14    2   
>> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>>
>> but either way unbound is reporting the below and I do not understand
>> what the issue (anchor cannot be with and without autotrust) is?
>>
>> error: anchor cannot be with and without autotrust
>> error: failed to load trust anchor from
>> /etc/unbound/mail-trusted-key.key at line 1, skipping
>> error: anchor cannot be with and without autotrust
>> error: failed to load trust anchor from
>> /etc/unbound/mail-trusted-key.key at line 2, skipping
>> error: failed to read /etc/unbound/mail-trusted-key.key
>> error: error reading auto-trust-anchor-file:
>> /etc/unbound/mail-trusted-key.key
>> error: validator: error in trustanchors config
>> error: validator: could not apply configuration settings.
>> fatal error: bad config for validator module
> Looking at autotrust.c seems to be expecting a certain (NSD?) anchor
> structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if
> not met throwing the error.
> I am no coder and cannot make sense of
>
> if(tp) {
>         if(!tp->autr) {
>             log_err("anchor cannot be with and without autotrust");
>             lock_basic_unlock(&tp->lock);
>             return NULL;
>         }
>
> The BIND-9 zone file does only provide the aforementioned. Has to be
> anything to be done with it to make it compliant with the anchor
> structure required by unbound?
>
>

after a [ dig dnskey ] of the zone amended
"/etc/unbound/mail-trusted-key.key" to

mail.                   86156   IN      DNSKEY  257 3 14
cFLtBucj9d4f4Yu2S4ATAyj3VElBcDAukQdQaG+Kv47VV+932dU7VZlq
Onl8VKBYU/Z6gRvGYGmkl3bGtaqdcqyjoMWYoXgku+SqMMpZVPHvWqLx ymR1B8+DZ96lXvkW
mail.                   86156   IN      DNSKEY  256 3 14
lWTX1MIw/HqcBk7nHwAmMvHnlvAVF8L0BZb9Foqi6BiS8qJIDu6j3tP8
ggjkkU2/ISCmJ0Ue1MGQd5jEwT5fKJ1mtESlqYawGODGWmNb8L/wamlQ NVH9QHWav9qfgvc1

but the [ error: anchor cannot be with and without autotrust ] just
keeps on popping up.

Am I doing something wrong or is this a bug in unbound?