Package Details: dnssec-trigger 0.17-1

Git Clone URL: https://aur.archlinux.org/dnssec-trigger.git (read-only, click to copy)
Package Base: dnssec-trigger
Description: Reconfigures the local unbound DNS server to use DNSSEC enabled forwarders
Upstream URL: http://www.nlnetlabs.nl/projects/dnssec-trigger/
Licenses: BSD
Submitter: ghen
Maintainer: ljmf00
Last Packager: fmorgner
Votes: 14
Popularity: 0.000000
First Submitted: 2011-11-17 14:10 (UTC)
Last Updated: 2018-12-29 09:28 (UTC)

Latest Comments

1 2 Next › Last »

ilario commented on 2022-11-17 14:46 (UTC)

This does not work for me at all. Also, when uninstalling the package, the immutable attribute remains applied to /etc/resolv.conf (can be removed with sudo chattr -i /etc/resolv.conf). Moreover, comparing the PKGBUILD with the INSTALL file in the source, seems that some needed steps are missing (dnssec-trigger-control-setup and dnssec-trigger-control-setup -i). I would suggest against installing this package (or maybe even remove it from AUR), as it could leave your system in a broken state.

hsafe commented on 2019-09-28 13:47 (UTC)

Recent updates have broken the service per earlier notices...here are the versions of my packages: dnssec-trigger Version : 0.17-1 unbound Version : 1.9.3-3

Appreciate a feedback from maintainers...

Durag commented on 2019-06-04 18:52 (UTC)

I get the same error as Raansu.

Raansu commented on 2019-04-25 12:46 (UTC)

@fmorgener I'm experiencing a crash trying to set up dnssec-trigger for the first time, the log of that below. I dug around and it seems that the Debian version makes use of a few patches to fix this in their version. Can you please add those patches here?

https://metadata.ftp-master.debian.org/changelogs//main/d/dnssec-trigger/dnssec-trigger_0.17+repack-3_changelog

https://packages.debian.org/sid/dnssec-trigger

Apr 25 05:23:06 Y40-80 systemd[1]: dnssec-triggerd.service: Failed with result 'exit-code'.
Apr 25 05:23:06 Y40-80 systemd[1]: Failed to start Reconfigure local DNSSEC resolver on network change.
Apr 25 05:23:06 Y40-80 systemd[1]: dnssec-triggerd.service: Service RestartSec=100ms expired, scheduling restart.
Apr 25 05:23:06 Y40-80 systemd[1]: dnssec-triggerd.service: Scheduled restart job, restart counter is at 2.
Apr 25 05:23:06 Y40-80 systemd[1]: Stopped Reconfigure local DNSSEC resolver on network change.
Apr 25 05:23:06 Y40-80 systemd[1]: Starting Reconfigure local DNSSEC resolver on network change...
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]: [28771] info: dnssec-trigger 0.17 start
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]: Traceback (most recent call last):
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 773, in <module>
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     main()
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 760, in main
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     Application(sys.argv).run()
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 471, in run
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     self.method()
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 555, in run_setup
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     self._unbound_set_negative_cache_ttl(UNBOUND_MAX_NEG_CACHE_TTL)
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 640, in _unbound_set_negative_cache_ttl
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     subprocess.check_call(CMD, stdout=DEVNULL, stderr=DEVNULL)
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:   File "/usr/lib/python3.7/subprocess.py", line 347, in check_call
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]:     raise CalledProcessError(retcode, cmd)
Apr 25 05:23:06 Y40-80 dnssec-triggerd[28771]: subprocess.CalledProcessError: Command '['unbound-control', 'set_option', 'cache-max-negative-ttl:', '5']' returned non-zero exit status 1.
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]: Traceback (most recent call last):
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 773, in <module>
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     main()
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 760, in main
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     Application(sys.argv).run()
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 471, in run
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     self.method()
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 633, in run_update
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     self.run_update_global_forwarders()
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 656, in run_update_global_forwarders
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     UnboundZoneConfig._control([config.flush_command, "."])
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 307, in _control
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     subprocess.check_call(["unbound-control"] + args, stdout=DEVNULL, stderr=DEVNULL)
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:   File "/usr/lib/python3.7/subprocess.py", line 347, in check_call
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]:     raise CalledProcessError(retcode, cmd)
Apr 25 05:23:06 Y40-80 01-dnssec-trigger[28772]: subprocess.CalledProcessError: Command '['unbound-control', 'flush_zone', '.']' returned non-zero exit status 1.

opippi commented on 2018-06-18 03:13 (UTC) (edited on 2018-06-18 03:32 (UTC) by opippi)

dnssec-triggerd still reports an error: sh: /usr/libexec/dnssec-trigger-script: No such file or directory

The following patch seems to fix it.

    --- riggerd/reshook.c.org       2018-06-18 11:36:49.039307630 +0900
    +++ riggerd/reshook.c   2018-06-18 11:38:25.173947801 +0900
    @@ -256,7 +256,7 @@
            win_set_resolv("127.0.0.1");
     #else /* not on windows */
     #  ifndef HOOKS_OSX /* on Linux/BSD */
    -       if (system("/usr/libexec/dnssec-trigger-script --setup") == 0)
    +       if (system(LIBEXEC_DIR "/dnssec-trigger-script --setup") == 0)
                    return;

            if(really_set_to_localhost(cfg)) {
    @@ -285,7 +285,7 @@
            char iplist[10240];
            iplist[0] = 0;
     #else
    -       if (system("/usr/libexec/dnssec-trigger-script --restore") == 0)
    +       if (system(LIBEXEC_DIR "/dnssec-trigger-script --restore") == 0)
                    return;
     #endif
            set_to_localhost = 0;

discostar commented on 2017-11-28 16:24 (UTC)

Works for me without modification now. Thanks!

fmorgner commented on 2017-11-18 10:28 (UTC)

Updated to latest upstream. @discostar: thanks for the patch! could you verify if the new package works?

discostar commented on 2017-07-12 19:49 (UTC)

In addition to the error previous comment, I had problems with the service failing to start due to openSSL-1.1.0 not supporting the SSL_OP_NO_SSLv2 checks. I had to modify the patch I found at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843532, since some parts of it were already applied to the source. I also added the fix for the '/usr/libexec' issue. My final patch looks like this: diff --git a/riggerd/cfg.c b/riggerd/cfg.c index 03f4f73..08b2028 100644 --- a/riggerd/cfg.c +++ b/riggerd/cfg.c @@ -540,9 +540,11 @@ cfg_setup_ctx_client(struct cfg* cfg, char* err, size_t errlen) if(!ctx) return ctx_err_ret(ctx, err, errlen, "could not allocate SSL_CTX pointer"); +#if OPENSSL_VERSION_NUMBER < 0x10100000 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) return ctx_err_ret(ctx, err, errlen, "could not set SSL_OP_NO_SSLv2"); +#endif if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) diff --git a/riggerd/net_help.c b/riggerd/net_help.c index 21e79e7..b17486c 100644 --- a/riggerd/net_help.c +++ b/riggerd/net_help.c @@ -447,11 +447,13 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) return NULL; } /* no SSLv2 because has defects */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); SSL_CTX_free(ctx); return NULL; } +#endif if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { log_err("error for cert file: %s", pem); log_crypto_err("error in SSL_CTX use_certificate_file"); diff --git a/riggerd/svr.c b/riggerd/svr.c index 0b46b1d..5f232f4 100644 --- a/riggerd/svr.c +++ b/riggerd/svr.c @@ -162,10 +162,12 @@ static int setup_ssl_ctx(struct svr* s) return 0; } /* no SSLv2 because has defects */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 if(!(SSL_CTX_set_options(s->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); return 0; } +#endif s_cert = s->cfg->server_cert_file; s_key = s->cfg->server_key_file; verbose(VERB_ALGO, "setup SSL certificates"); --- a/riggerd/reshook.c +++ b/riggerd/reshook.c @@ -256,7 +256,7 @@ win_set_resolv("127.0.0.1"); #else /* not on windows */ # ifndef HOOKS_OSX /* on Linux/BSD */ + if (system(LIBEXEC_DIR "/dnssec-trigger-script --setup") == 0) - if (system("/usr/libexec/dnssec-trigger-script --setup") == 0) return; if(really_set_to_localhost(cfg)) {

Commod0re commented on 2017-03-17 20:45 (UTC)

dnssec-triggerd[14315]: sh: /usr/libexec/dnssec-trigger-script: No such file or directory looks like this moved?

fmorgner commented on 2017-01-17 09:59 (UTC)

Thats a valid point. Will patch that later