ci: unbound: revert do dns-root-data package

MichaIng · MichaIng · commit 00063550197f · 2025-07-28T17:01:13.000+02:00
A prior test seems to have not been done careful: The Unbound daemon itself does NOT create the root trust anchors from internal data if missing. Only unbound-anchor does this. There are several options to bootstrap it: - Ship unbound-anchor and add "Provides" + "Conflicts" for Debian's unbound-anchor package. - Bootstrap them from online data, though there is no DNSKEY format file with the exact needed data, but they would need to be extracted from https://www.internic.net/domain/root.zone (DNSKEY format, but large document) or https://data.iana.org/root-anchors/root-anchors.xml (exact needed keys, but XML format), and we'd again introduce the attack vector as of download with HTTPS authenticity only. - Ship it, hardcoded in our build script. - Use again the dns-root-data package from Debian. For now, since we do not distribute our package yet, hence need to assure dns-root-data is installed anyway on dietpi-software Unbound installs. Trusting Debian and the additional APT-side authenticity is probably easier in any case. We will go with this for now, aligning with the Debian package. Once we ship it with our own APT repository, we can again think about shipping the initial key with the package itself, for easier maintenance by running unbound-anchor within the build script. However, instead of updating the anchors on every service start, we bootstrap them only once on package install, if missing, generally verifying that Unbound can keep them updated even after long downtimes.
diff --git a/.build/software/unbound/build.bash b/.build/software/unbound/build.bash
@@ -7,8 +7,8 @@ header=()
 [[ $GH_TOKEN ]] && header=('-H' "Authorization: token $GH_TOKEN")
 
 # APT dependencies
-adeps_build=('make' 'gcc' 'bison' 'flex' 'file' 'pkg-config' 'libc6-dev' 'libsystemd-dev' 'libssl-dev' 'libevent-dev' 'libexpat1-dev' 'libhiredis-dev' 'libnghttp2-dev' 'protobuf-c-compiler' 'libprotobuf-c-dev')
-adeps=('libc6' 'libsystemd0' 'libevent-2.1-7' 'libnghttp2-14' 'libprotobuf-c1')
+adeps_build=('make' 'gcc' 'bison' 'flex' 'file' 'pkg-config' 'libc6-dev' 'libsystemd-dev' 'libssl-dev' 'libevent-dev' 'libexpat1-dev' 'libhiredis-dev' 'libnghttp2-dev' 'protobuf-c-compiler' 'libprotobuf-c-dev' 'dns-root-data')
+adeps=('libc6' 'libsystemd0' 'libevent-2.1-7' 'libnghttp2-14' 'libprotobuf-c1' 'dns-root-data')
 (( $G_DISTRO > 6 )) && adeps+=('libssl3') || adeps+=('libssl1.1')
 (( $G_DISTRO > 7 )) && adeps+=('libhiredis1.1.0') || adeps+=('libhiredis0.14')
 
@@ -225,13 +225,20 @@ then
 	mkdir -pm 0755 /var/lib/$NAME
 	chown -R '$NAME:$NAME' /var/lib/$NAME
 
-	echo 'Configuring $PRETTY systemd service ...'
+	if [ ! -f '/var/lib/$NAME/root.key' ]
+	then
+		echo 'Bootstrapping root trust anchors /var/lib/$NAME/root.key from /usr/share/dns/root.key ...'
+		setpriv --reuid=$NAME --regid=$NAME --clear-groups cp -v /usr/share/dns/root.key /var/lib/$NAME/
+	fi
+
 	if [ -f '/etc/init.d/$NAME' ]
 	then
 		echo 'Removing obsolete $PRETTY SysV service'
 		rm /etc/init.d/$NAME
 		update-rc.d $NAME remove
 	fi
+
+	echo 'Configuring $PRETTY systemd service ...'
 	systemctl unmask $NAME
 	systemctl --no-reload enable $NAME
 	systemctl restart $NAME
