Package Details: dnssec-trigger 0.17-1

Git Clone URL: https://aur.archlinux.org/dnssec-trigger.git (read-only)
Package Base: dnssec-trigger
Description: Reconfigures the local unbound DNS server to use DNSSEC enabled forwarders
Upstream URL: http://www.nlnetlabs.nl/projects/dnssec-trigger/
Licenses: BSD
Submitter: ghen
Maintainer: fmorgner
Last Packager: fmorgner
Votes: 15
Popularity: 0.038539
First Submitted: 2011-11-17 14:10
Last Updated: 2018-12-29 09:28

Latest Comments

1 2 Next › Last »

Durag commented on 2019-06-04 18:52

I get the same error as Raansu.

Raansu commented on 2019-04-25 12:46

@fmorgener I'm experiencing a crash trying to set up dnssec-trigger for the first time, the log of that below. I dug around and it seems that the Debian version makes use of a few patches to fix this in their version. Can you please add those patches here?

https://metadata.ftp-master.debian.org/changelogs//main/d/dnssec-trigger/dnssec-trigger_0.17+repack-3_changelog

https://packages.debian.org/sid/dnssec-trigger

Apr 25 05:23:06 Y40-80 systemd[1]: dnssec-triggerd.service: Failed with result 'exit-code'.
Apr 25 05:23:06 Y40-80 systemd[1]: Failed to start Reconfigure local DNSSEC resolver on network change.
Apr 25 05:23:06 Y40-80 systemd[1]: dnssec-triggerd.service: Service RestartSec=100ms expired, scheduling restart.
Apr 25 05:23:06 Y40-80 systemd[1]: dnssec-triggerd.service: Scheduled restart job, restart counter is at 2.
Apr 25 05:23:06 Y40-80 systemd[1]: Stopped Reconfigure local DNSSEC resolver on network change.
Apr 25 05:23:06 Y40-80 systemd[1]: Starting Reconfigure local DNSSEC resolver on network change...
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]: [28771] info: dnssec-trigger 0.17 start
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]: Traceback (most recent call last):
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 773, in <module>
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     main()
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 760, in main
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     Application(sys.argv).run()
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 471, in run
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     self.method()
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 555, in run_setup
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     self._unbound_set_negative_cache_ttl(UNBOUND_MAX_NEG_CACHE_TTL)
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 640, in _unbound_set_negative_cache_ttl
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     subprocess.check_call(CMD, stdout=DEVNULL, stderr=DEVNULL)
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/python3.7/subprocess.py", line 347, in check_call
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     raise CalledProcessError(retcode, cmd)
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]: subprocess.CalledProcessError: Command '['unbound-control', 'set_option', 'cache-max-negative-ttl:', '5']' returned non-zero exit status 1.
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]: Traceback (most recent call last):
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 773, in <module>
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     main()
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 760, in main
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     Application(sys.argv).run()
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 471, in run
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     self.method()
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 633, in run_update
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     self.run_update_global_forwarders()
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 656, in run_update_global_forwarders
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     UnboundZoneConfig._control([config.flush_command, "."])
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 307, in _control
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     subprocess.check_call(["unbound-control"] + args, stdout=DEVNULL, stderr=DEVNULL)
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/python3.7/subprocess.py", line 347, in check_call
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     raise CalledProcessError(retcode, cmd)
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]: subprocess.CalledProcessError: Command '['unbound-control', 'flush_zone', '.']' returned non-zero exit status 1.

opippi commented on 2018-06-18 03:13

dnssec-triggerd still reports an error: sh: /usr/libexec/dnssec-trigger-script: No such file or directory

The following patch seems to fix it.

    --- riggerd/reshook.c.org       2018-06-18 11:36:49.039307630 +0900
    +++ riggerd/reshook.c   2018-06-18 11:38:25.173947801 +0900
    @@ -256,7 +256,7 @@
            win_set_resolv("127.0.0.1");
     #else /* not on windows */
     #  ifndef HOOKS_OSX /* on Linux/BSD */
    -       if (system("/usr/libexec/dnssec-trigger-script --setup") == 0)
    +       if (system(LIBEXEC_DIR "/dnssec-trigger-script --setup") == 0)
                    return;

            if(really_set_to_localhost(cfg)) {
    @@ -285,7 +285,7 @@
            char iplist[10240];
            iplist[0] = 0;
     #else
    -       if (system("/usr/libexec/dnssec-trigger-script --restore") == 0)
    +       if (system(LIBEXEC_DIR "/dnssec-trigger-script --restore") == 0)
                    return;
     #endif
            set_to_localhost = 0;

discostar commented on 2017-11-28 16:24

Works for me without modification now. Thanks!

fmorgner commented on 2017-11-18 10:28

Updated to latest upstream.

@discostar: thanks for the patch! could you verify if the new package works?

discostar commented on 2017-07-12 19:49

In addition to the error previous comment, I had problems with the service failing to start due to openSSL-1.1.0 not supporting the SSL_OP_NO_SSLv2 checks. I had to modify the patch I found at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843532, since some parts of it were already applied to the source. I also added the fix for the '/usr/libexec' issue. My final patch looks like this:

diff --git a/riggerd/cfg.c b/riggerd/cfg.c
index 03f4f73..08b2028 100644
--- a/riggerd/cfg.c
+++ b/riggerd/cfg.c
@@ -540,9 +540,11 @@ cfg_setup_ctx_client(struct cfg* cfg, char* err, size_t errlen)
if(!ctx)
return ctx_err_ret(ctx, err, errlen,
"could not allocate SSL_CTX pointer");
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
return ctx_err_ret(ctx, err, errlen,
"could not set SSL_OP_NO_SSLv2");
+#endif
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|| !SSL_CTX_check_private_key(ctx))
diff --git a/riggerd/net_help.c b/riggerd/net_help.c
index 21e79e7..b17486c 100644
--- a/riggerd/net_help.c
+++ b/riggerd/net_help.c
@@ -447,11 +447,13 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
return NULL;
}
/* no SSLv2 because has defects */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
SSL_CTX_free(ctx);
return NULL;
}
+#endif
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
log_err("error for cert file: %s", pem);
log_crypto_err("error in SSL_CTX use_certificate_file");
diff --git a/riggerd/svr.c b/riggerd/svr.c
index 0b46b1d..5f232f4 100644
--- a/riggerd/svr.c
+++ b/riggerd/svr.c
@@ -162,10 +162,12 @@ static int setup_ssl_ctx(struct svr* s)
return 0;
}
/* no SSLv2 because has defects */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(s->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
return 0;
}
+#endif
s_cert = s->cfg->server_cert_file;
s_key = s->cfg->server_key_file;
verbose(VERB_ALGO, "setup SSL certificates");
--- a/riggerd/reshook.c
+++ b/riggerd/reshook.c
@@ -256,7 +256,7 @@
win_set_resolv("127.0.0.1");
#else /* not on windows */
# ifndef HOOKS_OSX /* on Linux/BSD */
+ if (system(LIBEXEC_DIR "/dnssec-trigger-script --setup") == 0)
- if (system("/usr/libexec/dnssec-trigger-script --setup") == 0)
return;

if(really_set_to_localhost(cfg)) {

Commod0re commented on 2017-03-17 20:45

dnssec-triggerd[14315]: sh: /usr/libexec/dnssec-trigger-script: No such file or directory

looks like this moved?

fmorgner commented on 2017-01-17 09:59

Thats a valid point. Will patch that later

grawity commented on 2017-01-17 09:58

Do you need the update-icon-cache invocation at all? Its output is going to be rm'd anyway, so just patch it out entirely.

fmorgner commented on 2017-01-17 09:52

Bumped to 0.13 and applied patches from @bkero.