Unbound Error

jconnors · Jun 13, 2019, 2:54 PM

I know this issue has been around for a bit but I've not seen a solid answer for it.

What is the work around here? This system is fully updated btw.

List of services running:

Works great on a clean install, but this FW has been up for a bit.

Any thoughts?

Thank You.

KOM · Jun 13, 2019, 3:09 PM

This thread had a few suggestions, like disabling DNSSEC.

Were you running pfBlocker at some point?

jconnors · Jun 13, 2019, 3:12 PM

@kom No, we've never run anything of the sort on this machine. Pretty much any advice I've seen online I've tried and ruled out thus far.

The only way I've seen it work is with a fresh install and this is a core router, which I can't really do that with.

KOM · Jun 13, 2019, 3:20 PM

I just checked my config and I don't have any test folder with root.key inside. Take a look in /var/unbound/unbound.conf. Look at all the included files and check them for references to /test/root.key. It's got to be there somewhere.

You could also try the nuclear option:

disable resolver
enable forwarder
take a config.xml backup
manually edit it and remove everything between the <unbound></unbound> tags
install fresh, restore your config then disable forwarder and enable resolver

jconnors · Jun 13, 2019, 3:24 PM

I would love to enable Forwarder, but I can't..that error pops up preventing it from starting.

I'll check the rest here. Let you know what I find.

BBcan177 · Jun 15, 2019, 1:43 AM

Try to run this command and see if that fixes it:

unbound-anchor -a /var/unbound/root.key

If not, In the /var/unbound/ folder, delete these four files and reboot:

unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem

stephenw10 · Jun 17, 2019, 11:45 AM

You appear to have the DNS Forwarder (dnsmasq) running in the screenshot above. You cannot enabled the DNS Resolver at the same time unless one is not listening on port 53.

Steve

jconnors · Jun 17, 2019, 1:24 PM

@BBcan177

I had tried that previously and it didn't work. There is a upgrade/reboot planned for next Sunday

@stephenw10

In the screenshot it may have been running, but I assure you that when I tried the change, I did have it turned off.

stephenw10 · Jun 17, 2019, 2:13 PM

Ok, so you're using the Forwarder just because the Resolver won't start currently?

Steve

jconnors · Jun 17, 2019, 2:34 PM

Correct. It works on the other FW's just fine, but this one, because it's the main, can't just be taken down when wanted. Too many other services behind it that can break and all teams need to be on board when a reboot is required in case those services really bork.