Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    unbound service very slow to start in offline setup

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      damienwab34
      last edited by

      Hi,

      We have pfsense installed in a offline network. I had an issue each time unbound was restarted since by default unbound-anchor is also started and try to connect the internet during more than 1 minute.

      I did not found a way to disable this behavior and had to replace the unbound-anchor binary with a dummy script the does nothing.

      Any Idea how to set it up correctly?

      Best regards,

      Damien

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @damienwab34
        last edited by Gertjan

        @damienwab34 said in unbound service very slow to start in offline setup:

        unbound-anchor

        unbound-anchor is a small alone program that updates this file :
        /var/unbound/root.key
        It's the DNSSEC root cert. This key cert can get updated, normally every 2,3 years or so. If you do not have the right key, DNSSEC will totally break.

        pfSnse, when starting (syncing) unbound, it kicks of also the unbound-anchor program that updates this file. And guess what : this needs an Internet access.

        You could decide to turn of DNSSEC.
        unbound won't use the /var/unbound/root.key any more, as the reference to it is removed from its config file.

        See also line 191, /etc/inc/unbound.inc : the root.key file ( auto-trust-anchor-file unbound option) is only used when DNSSEC is activated.

        But ..... even if the file isn't used any more (so no need to update it .... this is what I presume) why starting unbound-anchor on every unbound (re) start ?
        It will not succeed for "off-line networks" - and for these networks DNSSEC doesn't make sense anyway.

        Line 600: /etc/unbound.inc : function do_as_unbound_user($cmd, $param1 = "") {
        Some recoding is needed so unbound-anchor is only called when it is actually needed == when DNSSEC is activated.

        EDIT :

        /etc/inc/unbound.inc : Line 119 :
        Change

        	do_as_unbound_user("unbound-anchor", $cfgsubdir);
        

        for

        	if (isset($unboundcfg['dnssec']))
        		do_as_unbound_user("unbound-anchor", $cfgsubdir);
        

        and line 567 :

        	do_as_unbound_user("unbound-anchor");
        

        for

        	if (isset($config['unbound']['dnssec']))
        		do_as_unbound_user("unbound-anchor");
        

        These two tests make sure that "unbound-anchor" is run only if DNSSEC is activated.
        Without DNSSEC, getting the root.key file is not needed, as its option in the main unbound.conf file is removed : unbound doesn't do DNSSEC.
        Running "unbound-anchor" will need a working access to the Internet.
        DNSSEC needs a working access to the Internet.

        Btw : I tested these edits.
        So, with

        df918ebc-2d5a-44ba-8811-ef84dc1b04f3-image.png

        unchecked, no more "root.key' file is generated => because "unbound-anchor" isn't called.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • johnpozJ johnpoz referenced this topic on
        • johnpozJ johnpoz referenced this topic on
        • johnpozJ johnpoz referenced this topic on
        • johnpozJ johnpoz referenced this topic on
        • johnpozJ johnpoz referenced this topic on
        • johnpozJ johnpoz referenced this topic on
        • johnpozJ johnpoz referenced this topic on
        • johnpozJ johnpoz referenced this topic on
        • viktor_gV
          viktor_g Netgate
          last edited by

          Redmine issue:
          https://redmine.pfsense.org/issues/12985

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.