Package Details: dnssec-trigger 0.13-3

Git Clone URL: (read-only)
Package Base: dnssec-trigger
Description: Reconfigures the local unbound DNS server to use DNSSEC enabled forwarders
Upstream URL:
Licenses: BSD
Submitter: ghen
Maintainer: fmorgner
Last Packager: fmorgner
Votes: 12
Popularity: 0.063278
First Submitted: 2011-11-17 14:10
Last Updated: 2017-01-17 23:05

Latest Comments

discostar commented on 2017-07-12 19:49

In addition to the error previous comment, I had problems with the service failing to start due to openSSL-1.1.0 not supporting the SSL_OP_NO_SSLv2 checks. I had to modify the patch I found at, since some parts of it were already applied to the source. I also added the fix for the '/usr/libexec' issue. My final patch looks like this:

diff --git a/riggerd/cfg.c b/riggerd/cfg.c
index 03f4f73..08b2028 100644
--- a/riggerd/cfg.c
+++ b/riggerd/cfg.c
@@ -540,9 +540,11 @@ cfg_setup_ctx_client(struct cfg* cfg, char* err, size_t errlen)
return ctx_err_ret(ctx, err, errlen,
"could not allocate SSL_CTX pointer");
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
return ctx_err_ret(ctx, err, errlen,
"could not set SSL_OP_NO_SSLv2");
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
|| !SSL_CTX_check_private_key(ctx))
diff --git a/riggerd/net_help.c b/riggerd/net_help.c
index 21e79e7..b17486c 100644
--- a/riggerd/net_help.c
+++ b/riggerd/net_help.c
@@ -447,11 +447,13 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
return NULL;
/* no SSLv2 because has defects */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
return NULL;
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
log_err("error for cert file: %s", pem);
log_crypto_err("error in SSL_CTX use_certificate_file");
diff --git a/riggerd/svr.c b/riggerd/svr.c
index 0b46b1d..5f232f4 100644
--- a/riggerd/svr.c
+++ b/riggerd/svr.c
@@ -162,10 +162,12 @@ static int setup_ssl_ctx(struct svr* s)
return 0;
/* no SSLv2 because has defects */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(s->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
return 0;
s_cert = s->cfg->server_cert_file;
s_key = s->cfg->server_key_file;
verbose(VERB_ALGO, "setup SSL certificates");
--- a/riggerd/reshook.c
+++ b/riggerd/reshook.c
@@ -256,7 +256,7 @@
#else /* not on windows */
# ifndef HOOKS_OSX /* on Linux/BSD */
+ if (system(LIBEXEC_DIR "/dnssec-trigger-script --setup") == 0)
- if (system("/usr/libexec/dnssec-trigger-script --setup") == 0)

if(really_set_to_localhost(cfg)) {

Commod0re commented on 2017-03-17 20:45

dnssec-triggerd[14315]: sh: /usr/libexec/dnssec-trigger-script: No such file or directory

looks like this moved?

fmorgner commented on 2017-01-17 09:59

Thats a valid point. Will patch that later

grawity commented on 2017-01-17 09:58

Do you need the update-icon-cache invocation at all? Its output is going to be rm'd anyway, so just patch it out entirely.

fmorgner commented on 2017-01-17 09:52

Bumped to 0.13 and applied patches from @bkero.

bkero commented on 2016-11-05 21:39

I've found that this package does not build properly on my system. I had to patch the PKGBUILD file to make it work. Here is the diff.

diff --git a/PKGBUILD b/PKGBUILD
index b00da5b..fc71c1a 100644
@@ -21,6 +21,7 @@ sha256sums=('1cafd9ec296edc1d17b9ed2a98e06c7057c80ef1dbd6d45dbfa11991d3703535'
prepare() {
cd "$srcdir/$pkgname-$pkgver"
sed -i "s!/usr/libexec/!/usr/lib/$pkgname/!g"
+ sed -i "s/gtk-update-icon-cache/gtk-update-icon-cache -t/g"

build() {
@@ -42,6 +43,7 @@ package() {
cp "$srcdir/dnssec-triggerd-keygen.service" "$pkgdir/usr/lib/systemd/system/"
rm -f "$pkgdir/etc/xdg/autostart/dnssec-trigger-panel.desktop"
rm -rf "$pkgdir/var"
+ rm -f "$pkgdir/usr/share/icons/hicolor/icon-theme.cache"

AnAkkk commented on 2015-10-22 12:30

This doesn't seem to package anymore, it gives an error about gtk-gui-install.

EDIT: I was able to work around the issue by adding APP_INDICATOR="no" before install.

AnAkkk commented on 2015-04-19 14:42

I'm guessing that "sudo dnssec-trigger-control-setup -i" needs to be ran, but apparently that behaves badly with archlinux. It modifies /etc/unbound and add two lines, after that the unbound server no longer works (dnssec-triggerd fails). Apparently it's because the unbound user doesn't have read permission on /etc/trusted-key.key

AnAkkk commented on 2015-04-19 13:49

Apparently the 01-dnssec-trigger script fails with most recent versions of network manager, it fails to get the correct NMCLI_VER.

BoySka commented on 2013-05-07 08:11

Just updating version to 0.11 and setting
sha256sum=('c22cff6a51f0ae8e07393ab7935d44faaabfe3d8341ba8bb85189391dcdfd9fb ')
seems to work.

It should depend on "unbound"

All comments