[opensuse] Re: Right directroy with trustancor (dnssec) for tumbleweed?

8 Sep 2015

      p, li { white-space: pre-wrap; }p, li { white-space: pre-wrap; }
In data lunedì 24 agosto 2015 09:22:18, hai scritto:
...
I installed tentatively tumbleweed on a PC. My settings for dnssec
validation do fail because dnsmasq fails to start. It cannot find the
directory with the trust anchor (where I followed the indications in  
http://www.heise.de/netze/artikel/Auskunft-mit-Siegel-dnsmasq-als-DNSSEC-va
lidierender-Resolver-2628642.html    which work flawlessly with 13.2
stable).
Have there been any changes to the anchor? Where can I find the content of
/usr/share/dnsmasq/
in tumbleweed. I checked and it seems this directory is simply missing in
tumbleweed.
Thank you.
OK, somebody asked me to report back here. So I confirm, on machines with tumbleweed the aforementioned directory with the trustancor is actually missing and therefore systemd terminates activation of dnsmasq in tumbleweed with cannot find the trustancor. 

Instead, the list of the rmp is:

rpm -q dnsmasq --list

/etc/dbus-1/system.d/dnsmasq.conf
/etc/dnsmasq.conf
/etc/dnsmasq.d
/etc/dnsmasq.d/trust-anchors.conf
/etc/slp.reg.d
/etc/slp.reg.d/dnsmasq.reg
/etc/sysconfig/SuSEfirewall2.d/services/dnsmasq-dhcp
/etc/sysconfig/SuSEfirewall2.d/services/dnsmasq-dns
/srv/tftpboot
/usr/lib/systemd/system/dnsmasq.service
/usr/sbin/dnsmasq
/usr/sbin/rcdnsmasq
/usr/share/doc/packages/dnsmasq
/usr/share/doc/packages/dnsmasq/CHANGELOG
/usr/share/doc/packages/dnsmasq/COPYING
/usr/share/doc/packages/dnsmasq/COPYING-v3
/usr/share/doc/packages/dnsmasq/FAQ
/usr/share/doc/packages/dnsmasq/contrib
/usr/share/doc/packages/dnsmasq/contrib/CPE-WAN
/usr/share/doc/packages/dnsmasq/contrib/CPE-WAN/README
/usr/share/doc/packages/dnsmasq/contrib/conntrack
/usr/share/doc/packages/dnsmasq/contrib/conntrack/README
/usr/share/doc/packages/dnsmasq/contrib/dbus-test
/usr/share/doc/packages/dnsmasq/contrib/dbus-test/dbus-test.py
/usr/share/doc/packages/dnsmasq/contrib/dns-loc
/usr/share/doc/packages/dnsmasq/contrib/dns-loc/README
/usr/share/doc/packages/dnsmasq/contrib/dns-loc/dnsmasq2-loc-rfc1876.patch
/usr/share/doc/packages/dnsmasq/contrib/dnslist
/usr/share/doc/packages/dnsmasq/contrib/dnslist/dhcp.css
/usr/share/doc/packages/dnsmasq/contrib/dnslist/dnslist.pl
/usr/share/doc/packages/dnsmasq/contrib/dnslist/dnslist.tt2
/usr/share/doc/packages/dnsmasq/contrib/dynamic-dnsmasq
/usr/share/doc/packages/dnsmasq/contrib/dynamic-dnsmasq/dynamic-dnsmasq.pl
/usr/share/doc/packages/dnsmasq/contrib/lease-access
/usr/share/doc/packages/dnsmasq/contrib/lease-access/README
/usr/share/doc/packages/dnsmasq/contrib/lease-access/lease.access.patch
/usr/share/doc/packages/dnsmasq/contrib/mactable
/usr/share/doc/packages/dnsmasq/contrib/mactable/macscript
/usr/share/doc/packages/dnsmasq/contrib/openvpn
/usr/share/doc/packages/dnsmasq/contrib/openvpn/README
/usr/share/doc/packages/dnsmasq/contrib/openvpn/dhclient-enter-hooks
/usr/share/doc/packages/dnsmasq/contrib/openvpn/dnsmasq.patch
/usr/share/doc/packages/dnsmasq/contrib/port-forward
/usr/share/doc/packages/dnsmasq/contrib/port-forward/dnsmasq-portforward
/usr/share/doc/packages/dnsmasq/contrib/port-forward/portforward
/usr/share/doc/packages/dnsmasq/contrib/reverse-dns
/usr/share/doc/packages/dnsmasq/contrib/reverse-dns/README
/usr/share/doc/packages/dnsmasq/contrib/reverse-dns/reverse_replace.sh
/usr/share/doc/packages/dnsmasq/contrib/static-arp
/usr/share/doc/packages/dnsmasq/contrib/static-arp/static-arp
/usr/share/doc/packages/dnsmasq/contrib/systemd
/usr/share/doc/packages/dnsmasq/contrib/systemd/README
/usr/share/doc/packages/dnsmasq/contrib/systemd/dbus_activation
/usr/share/doc/packages/dnsmasq/contrib/systemd/dnsmasq.service
/usr/share/doc/packages/dnsmasq/contrib/try-all-ns
/usr/share/doc/packages/dnsmasq/contrib/try-all-ns/README
/usr/share/doc/packages/dnsmasq/contrib/try-all-ns/README-2.47
/usr/share/doc/packages/dnsmasq/contrib/try-all-ns/dnsmasq-2.35-try-all-ns.patch
/usr/share/doc/packages/dnsmasq/contrib/try-all-ns/dnsmasq-2.47_no_nxdomain_until_end.patch
/usr/share/doc/packages/dnsmasq/contrib/try-all-ns/dnsmasq-2.68-try-all-ns
/usr/share/doc/packages/dnsmasq/contrib/webmin
/usr/share/doc/packages/dnsmasq/contrib/webmin/README
/usr/share/doc/packages/dnsmasq/contrib/webmin/dnsmasq.wbm
/usr/share/doc/packages/dnsmasq/contrib/wrt
/usr/share/doc/packages/dnsmasq/contrib/wrt/Makefile
/usr/share/doc/packages/dnsmasq/contrib/wrt/README
/usr/share/doc/packages/dnsmasq/contrib/wrt/dhcp_lease_time.1
/usr/share/doc/packages/dnsmasq/contrib/wrt/dhcp_lease_time.c
/usr/share/doc/packages/dnsmasq/contrib/wrt/dhcp_release.1
/usr/share/doc/packages/dnsmasq/contrib/wrt/dhcp_release.c
/usr/share/doc/packages/dnsmasq/contrib/wrt/lease_update.sh
/usr/share/doc/packages/dnsmasq/dbus
/usr/share/doc/packages/dnsmasq/dbus/DBus-interface
/usr/share/doc/packages/dnsmasq/dbus/dnsmasq.conf
/usr/share/doc/packages/dnsmasq/dnsmasq.conf.example
/usr/share/doc/packages/dnsmasq/doc.html
/usr/share/doc/packages/dnsmasq/setup.html
/usr/share/locale/de/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/es/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/fi/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/fr/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/id/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/it/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/nb/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/pl/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/pt_BR/LC_MESSAGES/dnsmasq.mo
/usr/share/locale/ro/LC_MESSAGES/dnsmasq.mo
/usr/share/man/es/man8/dnsmasq.8.gz
/usr/share/man/fr/man8/dnsmasq.8.gz
/usr/share/man/man8/dnsmasq.8.gz

As you see: there is now the directoy /etc/dnsmasq.d/trust-anchors.conf 

So, if I give apparmor reading rights for the trustancor with 

/etc/dnsmasq.d/* r  within /etc/apparmor.d/local/usr.sbin.dnsmasq ,  is this all right or do I create a security issue here. With other words, should a user be able to read in this directory or not? 
If not, how should I go forward with this issue? Or should I file a bug?

Thank you

---
Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! http://email.freenet.de/basic/Informationen

-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org

stakanov＠freenet.de

tags

participants (1)