unbound-helper root_trust_anchor_update fails without notice what happened

[emdete]

Describe the bug

when issuing /usr/libexec/unbound-helper root_trust_anchor_update it may fail (exit code 1) but doesnt tell what happened.

strace shows that it tries (unconditionally it seems, the config has a different path) to read and write to /usr/share/dns/root.key and /usr/share/dns doesnt exist.

To reproduce
Steps to reproduce the behavior:

1. run /usr/libexec/unbound-helper root_trust_anchor_update
2. alternativly watch what happens with strace /usr/libexec/unbound-helper root_trust_anchor_update

Expected behavior

the file to be generated.

System:

• OS: Devuan ceres
• unbound -V output:

Version 1.17.0

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.7 1 Nov 2022
Linked modules: dns64 python subnetcache respip validator iterator
TCP Fastopen feature available

Additional information

in fact this are two problems: the wrong path and the missing logging.

[Jakker]

On 29 Dec 2022, at 23:32, M. Dietrich ***@***.***> wrote: Describe the bug when issuing /usr/libexec/unbound-helper root_trust_anchor_update it may fail (exit code 1) but doesnt tell what happened. strace shows that it tries (unconditionally it seems, the config has a different path) to read and write to /usr/share/dns/root.key and /usr/share/dns doesnt exist

Unbound-helper is not part of the unbound distribution. Maintaining the root.key is normally done with unbound-anchor, see man(1) unbound-anchor for details. This suggests that you want to do something like "unbound -a some-path". To quote man(1) unbound-anchor: Suggested usage: # in the init scripts. # provide or update the root anchor (if necessary) unbound-anchor -a "/usr/local/etc/unbound/root.key" # Please note usage of this root anchor is at your own risk # and under the terms of our LICENSE (see source). # # start validating resolver # the unbound.conf contains: # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" unbound -c unbound.conf jaap

[emdete]

Sorry, in that case it seems to be a debian packaging problem, unbound-anchor is not part of the package it seems.

[max-aigner]

apt install unbound unbound-anchor

[DaDummy]

Looks like there is a packaging mistake in the current Debian package version of unbound-anchor as it does not create the directory /usr/share/dns, which then causes invocations to unbound-anchor to fail.