Maintained by: NLnet Labs

initial failures

jpff
Thu May 26 17:30:31 CEST 2016


I installed unbound yesterday and I thought I followed the instructions
but I have two problems

1: if I have
      auto-trust-anchor-file: "/etc/unbound/root.key"
in the conf file I see
[1464193283] unbound[14683:0] error: could not open autotrust file for writing, 
/root.key.14683-0: Permission denied
[1464195262] unbound[14958:0] notice: init module 0: validator
[1464195262] unbound[14958:0] notice: init module 1: iterator
[1464195263] unbound[14958:0] info: start of service (unbound 1.4.17).
[1464195266] unbound[14958:0] error: could not open autotrust file for writing, 
/root.key.14958-0: Permission denied
[1464236233] unbound[14958:0] error: could not open autotrust file for writing, 
/root.key.14958-0: Permission denied

in the log file.  I have tried both 644 with owner root and unbound to
the same effect.  What permissions do I need?

2:  Without that line I am getting dns lookup failures from the local
network.  The set up is LAN is 172.16.4.0/24 with a gateway/firewall
at 172.16.4.42 on which unbound is run.  That machine has two ethernet
connections, eth0: for LAN and eth1: carrying pppoe to the world.

Symptoms include automounting failing to resolve the machine name and
opening xterms via ssh also fails.

I assume I have misunderstood something trivial but what?

==John ffitch
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    #auto-trust-anchor-file: "/etc/unbound/root.key"
    directory: "/etc/unbound"
    username: unbound
    # make sure unbound can access entropy from inside the chroot.
    # e.g. on linux the use these commands (on BSD, devfs(8) is used):
    #      mount --bind -n /dev/random /etc/unbound/dev/random
    # and  mount --bind -n /dev/log /etc/unbound/dev/log
    chroot: "/etc/unbound"
    logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
    pidfile: "/etc/unbound/unbound.pid"
    verbosity: 2      # uncomment and increase to get more logging.
    # listen on all interfaces, answer queries from the local subnet.
    interface: 0.0.0.0
    access-control: 172.16.4.0/24 allow
    statistics-cumulative: yes