unbound persistent zone file
-
Good day
We have several pfSense HA-clusters and they use internal domain zone for interconnection.
It was decided to use unbound's "auth-zone" for collecting (A/IXFR) this zone from NS servers and locally store in each cluster for performance and reliability reasons.During the configuration process, I encountered the problem of saving the zone file - content in /var directory is not persistent, and attempts to save in (as far as I understand) persistent places( /usr/local/etc/unbound/zones/ or /cf/conf/zones/ ) lead to errors like:
error: could not open /usr/local/etc/unbound/zones/zone_name.zone.tmp19897: No such file or directoryalbeit necessary ownership rights were assigned for unbound user/group.
I don't know environment of FreeBSD and inner workings of pfSense well, so maybe I'm missing something obvious?
Is it possible to workaround my problem to achieve persist zone file between reboots?
// pfSense 2.8.1 / unbound 1.24.2
-
Custom DNS Resolver/Unbound configuration should be entered into the "Custom options" box under
Services / DNS Resolver / General Settings(near the bottom of the page). -
@tinfoilmatt
It's not about saving the configuration(it's already done), but about saving a separate zone file to which unbound referring from config directive saved in "Custom options".auth-zone conf part:
auth-zone: name: "example.com" primary: 192.168.xxx.1 primary: 192.168.xxx.2 fallback-enabled: no for-downstream: no for-upstream: yes zonemd-check: no zonemd-reject-absence: no zonefile: "/usr/local/etc/unbound/zones/example.com.zone" -
@silmor_senedlen "
/root/example.com.zone"? -
@silmor_senedlen Also looks like "
fallback-enabled: no", "for-upstream: yes", "zonemd-check: no", and "zonemd-reject-absence: no" are unnecessary since they're at their default values. But I can appreciate belt-and-suspenders approaches when it comes to sensitive matters. -
@tinfoilmatt said in unbound persistent zone file:
"/root/example.com.zone"?
drwxr-xr-x 4 root wheel 512 Oct 1 17:48 /root/Obviously, unbound's user doesn't have write permissions in this directory.
It's necessary that:
- user 'unbound' have rw permissions to some directory
- Custom created (by unbound, but they are not part of pfSense's config) files in that directory must survive pfSense reboot.
Also updates - desirable, but not critical.
@tinfoilmatt said in unbound persistent zone file:
their default values
I know that, and it' intended.
-
@silmor_senedlen said in unbound persistent zone file:
Obviously, unbound's user doesn't have write permissions in this directory.
Grant user
unboundrw access to the file-only stored in/root. I suggest the location only because I know for a fact that it's persistent. -
@silmor_senedlen You could also create "
/root/[zone file subdirectory]" and grant userunboundrw access to the entire subfolder if you anticipate additionalauth-zone's. -
@tinfoilmatt said in unbound persistent zone file:
You could also create "/root/[zone file subdirectory]" and grant user unbound rw access to the entire subfolder
As you can see in my fist post, I already try the same in other directories:
/usr/local/etc/unbound/zones/
/cf/conf/zones/This, like previous similar attempts, fails when unbound tries to create temporary file, before writing to zone file itself.
Maybe that due unbound chroot'ed by default to /var/unbound (don't know nuances of chroot), but so far, I don't see any ways to write outside of /var/unbound
That's why I came to the forum*
-
@silmor_senedlen said in unbound persistent zone file:
As you can see in my fist post, I already try the same in other directories:
/usr/local/etc/unbound/zones/ /cf/conf/zones/This, like previous similar attempts, fails when unbound tries to create temporary file, before writing to zone file itself.
You should try the same in "
/root/[subdirectory]" granting appropriate permissions to userunboundover "[subdirectory]".Have you tried entering the
include:directive into your "Custom options"? You have yet to reveal what you're actually doing there. -
@tinfoilmatt said in unbound persistent zone file:
granting appropriate permissions to user unbound over "[subdirectory]".
-> mkdir -p /root/dns/zones/ -> chown -R unbound:unbound /root/dns/ -> ls -ald /root/dns/ drwxr-xr-x 3 unbound unbound 512 Dec 16 23:10 /root/dns/ -> ls -ald /root/dns/zones/ drwxr-xr-x 2 unbound unbound 512 Dec 16 23:10 /root/dns/zones/Changing:
zonefile: "/root/dns/zones/example.com.zone"Result:
error: could not open /root/dns/zones/example.com.zone.tmp34268: No such file or directory -
@tinfoilmatt said in unbound persistent zone file:
Have you tried entering the include: directive into your "Custom options"?
include directive for unbound's config files, not for zone files.
This does not add any special permissions in my situation in any way.
-
@silmor_senedlen Does
/var/unbound/unbound.confcontain "include: /root/dns/zones/example.com.zone" (single line)? -
@silmor_senedlen said in unbound persistent zone file:
This does not add any special permissions in my situation in any way.
I'm not so sure.
-
@tinfoilmatt said in unbound persistent zone file:
I'm not so sure.
I already done this 'just to try' (c)
I see no point in trying to sort through any possible combinations of actions without a fundamental understanding of the limitations/features of the system.
It's counterproductive.I hope that one of the developers or users highly experienced in FreeBSD will be able to clarify this problem.
-
@silmor_senedlen Post the entire (relevant) log lines during startup. Not just a snippet of one.
Unbound logging level?
-
@silmor_senedlen said in unbound persistent zone file:
I hope that one of the developers or users highly experienced in FreeBSD will be able to clarify this problem.
If you've identified a coherent feature request, there's always redmine.pfsense.org.
-
I also don't know if I agree with this:
@silmor_senedlen said in unbound persistent zone file:
-> chown -R unbound:unbound /root/dns/
...command.
-
@tinfoilmatt said in unbound persistent zone file:
I also don't know if I agree with this:
In which way you suppose to grant rw rights to unbound user?
-
@silmor_senedlen Show
ls -alh /root/dns/zones.
