v1.2.0 trust_anchors.file_current

If I run kresd with -k /root.key argument, value trust_anchors.file_current is nil but if I set trust_anchors.file="/root.key" then trust_anchors.file_current="/root.keys". I was expecting, that -k root argument is same as trust_anchors.file is it bug or my misconception?

Hmm, strange. Does it print anything interesting if run with --verbose? For me it seems OK:

$ kresd -a ::1#5353 -t ::1#5366 -v -k /tmp/test-root.key
[ ta ] keyfile '/tmp/test-root.key': doesn't exist, bootstrapping
[ ta ] warning: root anchor bootstrapped, you SHOULD check the key manually, see: https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html#sigs
[system] interactive mode
...
> trust_anchors.file_current
/tmp/test-root.key

We changed some stuff around readability/writability of the path. It's possible some case has been missed.

I'm testing it on omnia

root@turris:~# cat /tmp/kresd.config 
--Automatically generated file; DO NOT EDIT
modules = {
    'hints > iterate'
  , 'policy'
  , 'stats'
  , predict = {
        window = 30 -- 30 minutes sampling window
      , period = 24*(60/30) -- track last 24 hours
  }
}
hints.config('/etc/hosts')
net.bufsize(4096)
net.ipv4=true
net.ipv6=true
cache.open(20*MB)
cache.clear()

root@turris:~# kresd -c /tmp/kresd.config -k /etc/root.keys --verbose
[    0][hint] reading '/etc/hosts'
[    0][hint] loaded 1 hints
[ ta ] keyfile '/etc/root.keys': not writeable, starting in unmanaged mode
[ ta ] key: 19036 state: Valid
[system] interactive mode
> trust_anchors.file_current
nil
> trust_anchors
[hold_down_time] => 2592000000
[refresh_ev] => 1
[keep_removed] => 0
[config] => function: 0xb68d72b0
[insecure] => {
}
[keyset] => {
    [1] => {
        [owner] => \0
        [key_tag] => 19036
        [state] => Valid
        [type] => 43
        [ttl] => 3600
        [rdata] => J\\8\2I\170\193\29{odFp.T\161`sq`z\26A\133R\0\253,\225\205\2222\242N\143\181
        [class] => 1
    }
}

root@turris:/etc# ls -la root.keys 
-rw-r--r--    1 root     root            83 Jan 26 13:23 root.keys

That's correct. The ta current_file is nil in unmanaged mode (directory or keyfile not writeable).

Setting non writeable file or in non writeable directory in managed mode manually will just barf later on renewal.

OK so this issue could be probably closed.

I was thinking that if I set key by turst_anchors.file it should behave in same way as when it's set by -k argument (current_file should be nil). In both cases keyset is created but only difference visible to me was missing current_file variable.

@jpavlinec It sort of behaves the same :), the trust_anchors.config() has a second option whether it's managed or not.

So if you have your TA in read-only location, you should call trust_anchors.config(<file>,true).

But let's keep this open and do a refactoring on the code to handle more cases like that.

assigned to @ondrej

changed milestone to %1.3.0 release

Reminder so we do not forget: As we discussed earlier, we should have different options for read-only and managed TA files. Plus handling of error cases should be more deterministic (and shared between CLI and interactive mode)...

changed milestone to %1.3.x

added feature label

removed milestone

Marking as feature, we should clean the user interface to avoid confustion. It might be material for @vkriz when he gets used to kresd a bit during his bugfixing endeavor.

removed assignee

assigned to @vkriz

mentioned in merge request !358 (merged)

removed feature label

added minor usability labels

This is a mess. Let's clean it!

closed via merge request !358 (merged)

closed via commit 43bb5246

mentioned in commit 43bb5246