Unbound marche correctement à part si je choisi de décommenter 'auto-trust-anchor-file: "/etc/unbound/trusted-key.key"'.Lorsque je relance le service, il y a une erreur de droits dans le fichier /etc/unbound/trusted-key.key et Unbound ne peut pas se lancer.
Code : Tout sélectionner
ls -l /etc/unbound
total 21388
-rw-r----- 1 root wheel 21769728 14 déc. 01:25 blacklist
drwxr-xr-x 2 root root 4096 4 juin 2021 dev
-rw-r--r-- 1 root wheel 3314 29 nov. 01:36 root.hints
drwxr-xr-x 2 root root 4096 4 juin 2021 run
-rw-rw---- 1 unbound root 738 12 déc. 02:02 trusted-key.key
-rw-r----- 1 root wheel 46765 14 déc. 18:36 unbound.conf
-rw-r----- 1 root wheel 46442 24 nov. 04:03 unbound.conf.save
-rw------- 1 root root 2455 4 juin 2021 unbound_control.key
-rw-r----- 1 root root 1411 4 juin 2021 unbound_control.pem
-rw------- 1 root root 2455 4 juin 2021 unbound_server.key
-rw-r----- 1 root root 1549 4 juin 2021 unbound_server.pem
Code : Tout sélectionner
server:
include: /etc/unbound/blacklist
verbosity: 0
statistics-interval: 0
num-threads: 8
interface: 127.0.0.1
interface: ::1
port: 53
outgoing-range: 78
so-rcvbuf: 0
so-sndbuf: 0
so-reuseport: yes
edns-buffer-size: 1232
stream-wait-size: 7m
msg-cache-size: 32m
msg-cache-slabs: 8
num-queries-per-thread: 1024
rrset-cache-size: 64m
rrset-cache-slabs: 8
cache-min-ttl: 86400
cache-max-ttl: 172800
infra-cache-slabs: 8
infra-cache-numhosts: 30000
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
use-systemd: no
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1/128 allow
chroot: "/etc/unbound"
username: "unbound"
directory: "/etc/unbound"
use-syslog: no
log-time-ascii: no
log-queries: no
log-replies: no
log-tag-queryreply: no
log-local-actions: no
log-servfail: no
root-hints: "root.hints"
hide-identity: yes
hide-version: yes
hide-http-user-agent: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-algo-downgrade: no
qname-minimisation: yes
aggressive-nsec: yes
use-caps-for-id: yes
private-address: 10.0.0.0/8
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
unwanted-reply-threshold: 10000000
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
minimal-responses: yes
disable-dnssec-lame-check: no
module-config: "validator iterator"
root-key-sentinel: yes
trust-anchor-file: "/etc/unbound/trusted-key.key"
val-clean-additional: yes
key-cache-size: 128m
key-cache-slabs: 8
tls-service-key: "/etc/unbound/unbound_server.key"
tls-service-pem: "/etc/unbound/unbound_server.pem"
tls-port: 853
tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
pad-responses: yes
tls-use-sni: yes
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
python:
dynlib:
remote-control:
control-enable: yes
control-interface: 127.0.0.1
forward-zone:
name: "."
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
forward-first: yes
forward-tls-upstream: yes
Code : Tout sélectionner
# Author: Simon Deziel
# vim:syntax=apparmor
#include <tunables/global>
/usr/sbin/unbound {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
# needlessly chown'ing the PID
deny capability chown,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# root trust anchor
owner /var/lib/unbound/root.key* rw,
# root hints from dns-data-root
/usr/share/dns/root.* r,
# non-chrooted paths
/etc/unbound/** r,
owner /etc/unbound/*.key* rw,
audit deny /etc/unbound/unbound_control.{key,pem} rw,
audit deny /etc/unbound/unbound_server.key w,
# chrooted paths
/var/lib/unbound/** r,
owner /var/lib/unbound/**/*.key* rw,
audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
audit deny /var/lib/unbound/**/unbound_server.key w,
/usr/sbin/unbound mr,
/{,var/}run/{unbound/,}unbound.pid rw,
# Unix control socket
/{,var/}run/unbound.ctl rw,
}
Merci pour vos suggestions.