Unbound config borked, multiple issues (solved)
pfSense 2.4.2-RELEASE (amd64)
Somehow I borked unbound - whenever I try to do anything on the DNS Resolver configuration page and then go to save the changes all I get is this error on saving on the Unbound settings page:
The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/unbound.conf:91: error: syntax error read /var/unbound/test/unbound.conf failed: 1 errors in configuration file
var/unbound/test doesn't even exist when I go to check the line referenced, so I'm kind of at a loss on how to try to troubleshoot this.
FYI - you can't even disable unbound when it's in this state since, for some reason, the DNS Resolver page still tries to write a broken config and fails - evidently before it disables the DNS resolver! From the UI it looks like it's disabled (the checkbox is unchecked) but if you try to enable the DNS Forwarder it complains the port is in use and if you go back to the DNS Resolver page for unbound, the checkbox is now checked again!
When I'm trying to disable a service, that's the ONLY thing that should happen. I couldn't even disable the DNS Resolver/unbound to re-enable the forwarder until I could figure the unbound issue out. I had to go into the general settings and disable DNS resolution on the firewall period which works; but it would still be nice to be able to switch back to the DNS resolver. Indeed, for either the DNS resolver or DNS forwarder, when enabling them if the other is running it would be wonderful if pfSense was smart enough to prompt you to force the other one off and also disable it. It would greatly reduce confusion when switching between the two and prevent the catch-22 I now find myself in.
OK, apparently I should have just dug a little deeper :-[
Looking in the system log there was a different error that pointed to the unbound.conf in the var/unbound directory, with a different line number that magically lined up with the custom config (surprise!)
Apparently it didn't like:
I'm not sure what put that in the custom options since it's been in there for a long time now, but as soon as I removed that (and two other stats related lines: statistics-cumulative: yes, extended-statistics: yes) I could save the settings page and I can now disable and enable unbound again.
I still say the disable/enable should NOT be reliant on saving out the config - seem to be an extremely brittle design decision. Also showing a more useful error message on the DNS Resolver config page - from the actual conf file, not the temp file would also be FAR more useful for troubleshooting.
Oh yeah, I updated from 2.4 to 2.4.2 today, so maybe something between the two versions changed and why now maybe it no longer likes the stats config line?