1.7.3 - local zone trust auto-trust-anchor -> error: anchor cannot be with and without autotrust

Thu Jul 26 22:22:08 UTC 2018

Just to conclude this thread - call it my ignorance of having
copied/pasted in the server directive various zone statements and that
including [ domain-insecure: mail ]. After removing it the error is gone.

>>>>> You can start the auto-trust-anchor-file rotation by providing a file
>>>>> like for trust-anchor-file: a plain text file with DNSKEY or DS records
>>>>> in there.
>>>>>
>>>>>
>>> I tried this with (in conf)
>>>
>>> auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
>>> auto-trust-anchor-file: "/etc/unbound/mail-trusted-key.key"
>>>
>>> And the latter reading (copied from the BIND-9 zone file)
>>>
>>> mail. 1d IN    DS 22205    14    1   
>>> 0FFE136DCCCFD7879D350A62610193ADA5F18111
>>> mail. 1d IN    DS 22205    14    2   
>>> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>>>
>>> and as variation
>>>
>>> mail. 1d IN    DNSKEY 22205    14    1   
>>> 0FFE136DCCCFD7879D350A62610193ADA5F18111
>>> mail. 1d IN    DNSKEY 22205    14    2   
>>> 816572C6D97DDBCD9E7EB99644EDD0CEB30237EA1FE20526574BADB1B9A5B6DA
>>>
>>> but either way unbound is reporting the below and I do not understand
>>> what the issue (anchor cannot be with and without autotrust) is?
>>>
>>> error: anchor cannot be with and without autotrust
>>> error: failed to load trust anchor from
>>> /etc/unbound/mail-trusted-key.key at line 1, skipping
>>> error: anchor cannot be with and without autotrust
>>> error: failed to load trust anchor from
>>> /etc/unbound/mail-trusted-key.key at line 2, skipping
>>> error: failed to read /etc/unbound/mail-trusted-key.key
>>> error: error reading auto-trust-anchor-file:
>>> /etc/unbound/mail-trusted-key.key
>>> error: validator: error in trustanchors config
>>> error: validator: could not apply configuration settings.
>>> fatal error: bad config for validator module
>> Looking at autotrust.c seems to be expecting a certain (NSD?) anchor
>> structure (anchors, uint8_t* rr, size_t rr_len, size_t dname_len) and if
>> not met throwing the error.
>> I am no coder and cannot make sense of
>>
>> if(tp) {
>>         if(!tp->autr) {
>>             log_err("anchor cannot be with and without autotrust");
>>             lock_basic_unlock(&tp->lock);
>>             return NULL;
>>         }
>>
>> The BIND-9 zone file does only provide the aforementioned. Has to be
>> anything to be done with it to make it compliant with the anchor
>> structure required by unbound?
>>
>>
> after a [ dig dnskey ] of the zone amended
> "/etc/unbound/mail-trusted-key.key" to
>
> mail.                   86156   IN      DNSKEY  257 3 14
> cFLtBucj9d4f4Yu2S4ATAyj3VElBcDAukQdQaG+Kv47VV+932dU7VZlq
> Onl8VKBYU/Z6gRvGYGmkl3bGtaqdcqyjoMWYoXgku+SqMMpZVPHvWqLx ymR1B8+DZ96lXvkW
> mail.                   86156   IN      DNSKEY  256 3 14
> lWTX1MIw/HqcBk7nHwAmMvHnlvAVF8L0BZb9Foqi6BiS8qJIDu6j3tP8
> ggjkkU2/ISCmJ0Ue1MGQd5jEwT5fKJ1mtESlqYawGODGWmNb8L/wamlQ NVH9QHWav9qfgvc1
>
> but the [ error: anchor cannot be with and without autotrust ] just
> keeps on popping up.
>
> Am I doing something wrong or is this a bug in unbound?
>
>
>
>