unbound-anchor fails, claiming file does not exist
owenpmckenna opened this issue · 8 comments
Hello! I'm trying to use unbound dns in docker on my windows pc to secure my traffic (using DNSSEC, as I understand it).
My dockerfile looks like:
FROM ubuntu:22.04
RUN apt update
RUN apt install unbound -y
COPY unbound-new.conf /etc/unbound/
RUN mkdir /usr/local/etc/unbound/
RUN unbound-anchor -vvv -a /usr/local/etc/unbound/root.key -c /etc/unbound/unbound-new.conf
ENTRYPOINT [ "unbound", "-vvv", "-dd", "-c", "/etc/unbound/unbound-new.conf" ]
and unbound-new.conf looks like
server:
do-not-query-localhost: no
trust-anchor-file: '/usr/local/etc/unbound/root.key'
qname-minimisation: yes
interface: 127.0.0.1
access-control: 127.0.0.0/8 allow
username: 'root'
chroot: ''
I seems like this should work. unbound-anchor's man page claims in regards to the key file If the file does not exist, or is empty, a builtin root key is written to it.
When I run the dockerfile build it fails on RUN unbound-anchor ... I get the output:
/usr/local/etc/unbound/root.key does not exist
success: the anchor is ok
I thought unbound-anchor was supposed to create the file? If anyone has any advice it would be great. It's entirely possible I just missed something obvious. Thank you!
Unbound simply tells you that it cannot find the root.key file. Download it with this command:
wget https://data.iana.org/root-anchors/root-anchors.xml/root.key -qO- | sudo tee /usr/local/etc/unbound/root.key
I have adapted the installation location for you, you just have to run it on your docker when you have run it, see what it tells you about DNSSEC
That url gives me a 404? https://data.iana.org/root-anchors/root-anchors.xml is a real file but https://data.iana.org/root-anchors/root-anchors.xml/root.key isn't.
this comes from the source where the root files can be found and where you can also get the root.hints the page I am talking about is this: https://www.iana.org/domains/root/files.
All root files are on the page and you can download them with wget if you enter the url. As I have specified the command, you should of course also specify the location where you want it to go so that the achnor can find it.
I'm sorry, I'm confused. I thought unbound-anchor generated the root.key file. I shouldn't need to download that key in that case. Unbound-anchor tells me success: the anchor is ok so I don't think I need to download that file. Does that sound right?
yes I installed Unbound from the sauce here but then I downloaded the root.key from the site on my linux system aka debian and my dnssec worked but it told you yes it can't find the file: /usr/local/etc/unbound/root.key does not exist I mean this part. And actually you can download the root.key file from the root file page with the command wget
I was doing the same thing, it looks like the file was created (correctly?) but unbound-anchor failed with nonzero status (which broke docker).
to be honest i never had unbound on docker but as far as i know docker is just a vm where you can create more things like unbound etc so it should still be possible to load the root.key. But according to the wiki I also understood that you can create a file with the command but it never worked for me why I have this from the root side.
But I have an idea. I'll upload the root file where I create a link, then you can download the file and move it to the right place, then the achnor should actually work.
Yes, so it looks like for some reason, unbound-anchor completes it's action successfully but despite this it returns a non-zero error code (so scripts can use it I guess). To docker's build scripts it looks like this failed, and it breaks everything. So I changed the line to RUN unbound-anchor -vvv -a /usr/local/etc/unbound/root.key -c /etc/unbound/unbound-new.conf || : which causes docker to ignore the "error" (nonzero status code). I think I'm past this error now. Thank you for helping me @Aura67 !