After 2 days of fighting with unbound to get a local caching/recursive server up
with full DNSSEC, here's what I came up with. The permissions I had to put on
the 2 files listed below are ridiculous, but for now it works and I have a lot
of faith in my iptables firewall...lol. (unbound version 1.4.19-1.el6 x86_64
-- works with procedures outlined below) (unbound version 1.4.20-1.el6 x86_64
-- could not get rid of access denied to root.key, therefore DNSSEC wouldn't
work either, even with specific DNSSEC servers listed in unbound.conf)
root.key is in /var/lib/unbound (by default now) cd to that directory do:
ln -P root.key /etc/unbound/root.key cd to /etc/unbound I did: chown -rv
unbound:root roothints (this is a folder I created for the root-hints file)
chmod 7777 roothints chown -v unbound:root rootkey chmod 7777 root.key
That got rid of the cannot write/read problem I was having on those 2 files.
Doing the recommended (?) SeLinux fix: # grep unbound
/var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
stopped the SeLinux denials (checked through audit.log quite carefully for more
denials as I was working on this) Also (for more info) /etc/unbound is
owner:(root:root) and "nameserverconfig" selinux context I hope that helps
nail this down, or at least help someone having the same problems. Contact me
if you need more info, I used to help Daniel and Miroslav on selinux problems I
encountered when I was running Fedora releases. Now I use Scientific-Linux 6.4,
the completely CERN version. I can always do a VM for testing, since I don't
want to play with the server anymore...hahaha! Best regards, Alexander
Hunt
This update has been submitted for testing by pwouters.
This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
This update has been pushed to testing
This update has been unpushed
After 2 days of fighting with unbound to get a local caching/recursive server up with full DNSSEC, here's what I came up with. The permissions I had to put on the 2 files listed below are ridiculous, but for now it works and I have a lot of faith in my iptables firewall...lol. (unbound version 1.4.19-1.el6 x86_64 -- works with procedures outlined below) (unbound version 1.4.20-1.el6 x86_64 -- could not get rid of access denied to root.key, therefore DNSSEC wouldn't work either, even with specific DNSSEC servers listed in unbound.conf) root.key is in /var/lib/unbound (by default now) cd to that directory do: ln -P root.key /etc/unbound/root.key cd to /etc/unbound I did: chown -rv unbound:root roothints (this is a folder I created for the root-hints file) chmod 7777 roothints chown -v unbound:root rootkey chmod 7777 root.key That got rid of the cannot write/read problem I was having on those 2 files. Doing the recommended (?) SeLinux fix: # grep unbound /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp stopped the SeLinux denials (checked through audit.log quite carefully for more denials as I was working on this) Also (for more info) /etc/unbound is owner:(root:root) and "nameserverconfig" selinux context I hope that helps nail this down, or at least help someone having the same problems. Contact me if you need more info, I used to help Daniel and Miroslav on selinux problems I encountered when I was running Fedora releases. Now I use Scientific-Linux 6.4, the completely CERN version. I can always do a VM for testing, since I don't want to play with the server anymore...hahaha! Best regards, Alexander Hunt
This update has been obsoleted by https://admin.fedoraproject.org/updates/unbound-1.4.21-1.el6