unbound service very slow to start in offline setup
-
Hi,
We have pfsense installed in a offline network. I had an issue each time unbound was restarted since by default unbound-anchor is also started and try to connect the internet during more than 1 minute.
I did not found a way to disable this behavior and had to replace the unbound-anchor binary with a dummy script the does nothing.
Any Idea how to set it up correctly?
Best regards,
Damien
-
@damienwab34 said in unbound service very slow to start in offline setup:
unbound-anchor
unbound-anchor is a small alone program that updates this file :
/var/unbound/root.key
It's the DNSSEC root cert. This key cert can get updated, normally every 2,3 years or so. If you do not have the right key, DNSSEC will totally break.pfSnse, when starting (syncing) unbound, it kicks of also the unbound-anchor program that updates this file. And guess what : this needs an Internet access.
You could decide to turn of DNSSEC.
unbound won't use the /var/unbound/root.key any more, as the reference to it is removed from its config file.See also line 191, /etc/inc/unbound.inc : the root.key file ( auto-trust-anchor-file unbound option) is only used when DNSSEC is activated.
But ..... even if the file isn't used any more (so no need to update it .... this is what I presume) why starting unbound-anchor on every unbound (re) start ?
It will not succeed for "off-line networks" - and for these networks DNSSEC doesn't make sense anyway.Line 600: /etc/unbound.inc : function do_as_unbound_user($cmd, $param1 = "") {
Some recoding is needed so unbound-anchor is only called when it is actually needed == when DNSSEC is activated.EDIT :
/etc/inc/unbound.inc : Line 119 :
Changedo_as_unbound_user("unbound-anchor", $cfgsubdir);for
if (isset($unboundcfg['dnssec'])) do_as_unbound_user("unbound-anchor", $cfgsubdir);and line 567 :
do_as_unbound_user("unbound-anchor");for
if (isset($config['unbound']['dnssec'])) do_as_unbound_user("unbound-anchor");These two tests make sure that "unbound-anchor" is run only if DNSSEC is activated.
Without DNSSEC, getting the root.key file is not needed, as its option in the main unbound.conf file is removed : unbound doesn't do DNSSEC.
Running "unbound-anchor" will need a working access to the Internet.
DNSSEC needs a working access to the Internet.Btw : I tested these edits.
So, with
unchecked, no more "root.key' file is generated => because "unbound-anchor" isn't called.
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on
-
J johnpoz referenced this topic on
-
Redmine issue:
https://redmine.pfsense.org/issues/12985
