Option trust_anchor_file is not usable
countsudoku opened this issue · 0 comments
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: (does not matter)
- Ruby: (does not matter)
- Distribution: Debian, but doesn't matter either
- Unbound: 1.9.0
- Module version: v6.0.0 (and before)
How to reproduce (e.g Puppet code you use)
class { 'unbound':
trust_anchor_file => '/usr/share/dns/root.key',
interface => ['0.0.0.0'],
}
What are you seeing
The unbound.conf cannot be parse anymore, because it contains a auto-trust-anchor-file: and a trust-anchor-file: option:
Error: Execution of '/usr/sbin/unbound-checkconf /etc/unbound/unbound.conf20230615-31967-er7wgp' returned 1: [1686863903] unbound-checkconf[32155:0] er
ror: trust anchor presented twice
[1686863903] unbound-checkconf[32155:0] error: could not parse auto-trust-anchor-file /var/lib/unbound/root.key line 2
[1686863903] unbound-checkconf[32155:0] error: error reading auto-trust-anchor-file: /var/lib/unbound/root.key
[1686863903] unbound-checkconf[32155:0] error: validator: error in trustanchors config
[1686863903] unbound-checkconf[32155:0] error: validator: could not apply configuration settings.
[1686863903] unbound-checkconf[32155:0] fatal error: bad config for validator module
What behaviour did you expect instead
Unbound should use my provided trust_anchor_file.
Any additional information you'd like to impart
The part of the template that is responsible for this code is:
puppet-unbound/templates/unbound.conf.erb
Lines 175 to 176 in 825d42a
init.pp:puppet-unbound/manifests/init.pp
Line 113 in 825d42a
puppet-unbound/manifests/init.pp
Line 180 in 825d42a
So the
auto_trust_anchor_file variable is always set and always added to the config file. As soon as a trust_anchor_file is configured there are two "trust-anchor-file" variants in the config file.
I am not sure how you like to fix that: The cleanest option – from my point of view – would be, to make the auto_trust_anchor_file also a Optional and add some input validation, that not both values are set.