Bugzilla – Bug 758
Unbound should test that auto-* files are writable
Last modified: 2016-04-28 09:23:54 CEST
I just launched Unbound 1.5.8 with:
with a root.key file which was writable only by root, not by the Unbound user. Unbound did not complain at all. It will probably fail when the new root key will be published.
In the light of a possible future root KSK rollover, it seems a possible problem. Many people rely (wrongly, IMHO) on RFC 5011 to make this rollover.
I suggest to test the writability of auto-* files at startup.
But unbound does? On the first query, it'll lookup the root key; then the root key file is written again and unbound fatal-exits when the root key is not writable.
Unbound writes to the root key file every time it probes the . DNSKEY query.
Best regards, Wouter
Yes, sorry, I was too impatient. (Apparently, in some cases, Unbound does not test immdiately? I cannot reproduce it right now.)
 unbound[30703:0] debug: autotrust: write to disk: /tmp/foobar/root.key.30703-0
 unbound[30703:0] fatal error: could not open autotrust file for writing, /tmp/foobar/root.key.30703-0: Permission denied