Replace unbound v1.13 with v1.12

amestag

Hello,

Since pfSense 2.5, there's an issue with the DNS Resolver a.k.a unbound.
It crashes a lot, and when using the "Service Watchdog" package, it can get stuck in some kind of infinite loop.

See Redmine Issue #11316, along with related unbound issue on GitHub.

Since then

• The package unbound112 is provided.
  • Apparently, pfSense Plus 21.05 was released with unbound 112.
  • But no new pfSense CE release was made with unbound112 by default.

How can I replace my "unbound" package with the more stable "unbound112" ?

It fails when I try the following :

pkg-static install unbound112

I actually need to run it twice to get it to notice that it needs to remove the conflicting package unbound v1.13

Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	unbound112: 1.12.0_1 [pfSense]

Number of packages to be installed: 1

The process will require 8 MiB more space.
1 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching unbound112-1.12.0_1.txz: 100%    1 MiB   1.2MB/s    00:01    
Checking integrity... done (1 conflicting)
  - unbound112-1.12.0_1 [pfSense] conflicts with unbound-1.13.1 [installed] on /usr/local/etc/unbound/unbound.conf.sample
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	unbound112: 1.12.0_1 [pfSense]

Number of packages to be installed: 1

The process will require 8 MiB more space.

Proceed with this action? [y/N]: y
Fetching unbound-1.13.1.txz: 100%    1 MiB   1.2MB/s    00:01    
[1/3] Deinstalling unbound-1.13.1...
[1/3] Deleting files for unbound-1.13.1: 100%
[1/3] Installing unbound-1.13.1...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[1/3] Extracting unbound-1.13.1: 100%
[2/3] Installing unbound112-1.12.0_1...
pkg-static: unbound112-1.12.0_1 conflicts with unbound-1.13.1 (installs files into the same place).  Problematic file: /usr/local/etc/unbound/unbound.conf.sample

Then when I run the same command a 2nd time :

Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (2 conflicting)
  - unbound112-1.12.0_1 [pfSense] conflicts with unbound-1.13.1 [installed] on /usr/local/etc/unbound/unbound.conf.sample
  - unbound112-1.12.0_1 [pfSense] conflicts with unbound-1.13.1 [pfSense] on /usr/local/etc/unbound/unbound.conf.sample
Checking integrity... done (0 conflicting)
The following 5 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
	pfSense: 2.5.1
	php74-pfSense-module: 0.69_1
	strongswan: 5.9.1
	unbound: 1.13.1

New packages to be INSTALLED:
	unbound112: 1.12.0_1 [pfSense]

Number of packages to be removed: 4
Number of packages to be installed: 1

The operation will free 3 MiB.

Proceed with this action? [y/N]: y
pkg-static: Cannot delete vital package: pfSense!
pkg-static: If you are sure you want to remove pfSense, 
pkg-static: unset the 'vital' flag with: pkg set -v 0 pfSense

I get an error saying that I can't uninstall pfSense 2.5.1. Which makes sense, I actually just want to replace the unbound package, not downgrade the whole thing.

KOM

@amestag You could just wait a week or two for 2.5.2 instead of potentially breaking your system.

amestag

@kom First of all, I do everything in a virtual machine first to make sure I won't break anything in production :-)
(Although I admit it's not ideal : I still didn't see that unbound crashed when I tested on a virtual machine)

How do I know pfSense 2.5.2 will be out in 1 or 2 weeks ? If so, great, but if not, I can't wait around and do nothing :

@amestag You could just wait a week or two for 2.5.2 instead of potentially breaking your system.

My system is actually broken right now, which why I'm looking for a solution right now too.

Is it actually possible to make use of the "unbound112" package or not ?

I also noticed that there may be a fix on the unbound side, and that it's been imported for v1.13.1_2, but I do not know when it will be made available for all either.

KOM

@amestag said in Replace unbound v1.13 with v1.12:

How do I know pfSense 2.5.2 will be out in 1 or 2 weeks ?

Just a guess. Netgate has said that CE releases will shortly follow Plus releases.

My system is actually broken right now, which why I'm looking for a solution right now too.

I would use forwarder temporarily until a real fix is available to you.

Is it actually possible to make use of the "unbound112" package or not ?

I doubt anyone has tried.

amestag

Just a guess. Netgate has said that CE releases will shortly follow Plus releases.

Alright, I can't wait for it but I will keep an eye out

I would use forwarder temporarily until a real fix is available to you.

I will look into this too. I just need to have another DNS server to forward too, but that might be doable.

I doubt anyone has tried.

Alright, got it

KOM

@amestag said in Replace unbound v1.13 with v1.12:

I just need to have another DNS server to forward too

There's only about a million of them. 1.1.1.1, 4.4.4.4, 8.8.8.8, your ISP...

Free and Public DNS Servers