Unbound cannot start in 2.2 RELEASE
-
Hi.
Upgraded to 2.2RELEASE from 2.2 Snapshot ( 16th ), tried to use "unbound" in options and it cannot start. tried to enable, disable … nothing. Ended up using the old dnsmask instead. Here s the log:
Jan 24 15:40:38 unbound: [7534:0] notice: init module 0: validator
Jan 24 15:40:38 unbound: [7534:0] error: ldns error while converting string to RR at17: Syntax error, could not parse the RR's type: tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v
Jan 24 15:40:38 unbound: [7534:0] error: failed to load trust anchor from /root.key at line 1, skipping
Jan 24 15:40:38 unbound: [7534:0] error: failed to read /root.key
Jan 24 15:40:38 unbound: [7534:0] error: error reading auto-trust-anchor-file: /var/unbound/root.key
Jan 24 15:40:38 unbound: [7534:0] error: validator: error in trustanchors config
Jan 24 15:40:38 unbound: [7534:0] error: validator: could not apply configuration settings.
Jan 24 15:40:38 unbound: [7534:0] error: module init for module validator failed
Jan 24 15:40:38 unbound: [7534:0] fatal error: failed to setup modules
Jan 24 15:40:45 unbound: [28992:0] notice: init module 0: validator
Jan 24 15:40:45 unbound: [28992:0] error: ldns error while converting string to RR at17: Syntax error, could not parse the RR's type: tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v
Jan 24 15:40:45 unbound: [28992:0] error: failed to load trust anchor from /root.key at line 1, skipping
Jan 24 15:40:45 unbound: [28992:0] error: failed to read /root.key
Jan 24 15:40:45 unbound: [28992:0] error: error reading auto-trust-anchor-file: /var/unbound/root.key
Jan 24 15:40:45 unbound: [28992:0] error: validator: error in trustanchors config
Jan 24 15:40:45 unbound: [28992:0] error: validator: could not apply configuration settings.
Jan 24 15:40:45 unbound: [28992:0] error: module init for module validator failed
Jan 24 15:40:45 unbound: [28992:0] fatal error: failed to setup modules -
I don't know if I had the same errors you are having (I was tired as hell and not expecting problems with the upgrade). I was having problems with unbound and after some basic troubleshooting I decided that it would be simply to try a fresh install of 2.2 (and go back to 2.1.5 if that didn't work) than try to troubleshoot it while my entire LAN was upset by the broken DNS resolving. But I did a fresh install from ISO and then uploaded my config file that I had backed up just moments before upgrading to 2.2. The system came right up and worked.
So I presume something in the upgrade doesn't quite go 100%, but a fresh install does. I'd recommend you do a fresh install of 2.2 and then upload your backed up config file from before you upgraded. It worked for me.
-
Sollution is simple. During the upgrade your root.key file got corrupt. If you open it you will get binary content instead of text. Work around is simple: remove the file and recreate it with the correct content.
-
okay i found stuff here: https://www.unbound.net/documentation/howto_anchor.html
Maybe i will use the util to recreate it i guess …
-
okay for anybody experiencing the same issue, this is how i solved it:
went into the diagnostics _> command menu and typed in line by line:
rm /var/unbound/root.key
unbound-anchor -a /var/unbound/root.key
chown unbound /var/unbound/root.key
After that, unbound stars fine now :)
One thing i don't know, does that unbound-anchor generate the right key file to use ? or did pfsense have a custom file that is more updated ?
-
I copied the root.key file from another pfsense firewall still running 2.1.5 and unbound. I just did the unbound-anchor command as you provided but to a temporary file. Both files are identically so the file created with the command is the latest version.
-
I copied the root.key file from another pfsense firewall still running 2.1.5 and unbound. I just did the unbound-anchor command as you provided but to a temporary file. Both files are identically so the file created with the command is the latest version.
thanks for confirming that !
-
There's really no need to copy anything from anywhere. It gets downloaded from root servers when you start unbound, kindly read /etc/inc/unbound.inc
-
The only thing odd I've noticed with unbound is that if I try to use Drill without putting a DNS server in system > general, drill reports nothing.
$ drill google.com
Error: error sending query: No (valid) nameservers defined in the resolverBut then if I put 8.8.8.8 in the server list:
$ drill google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 24628
;; flags: qr rd ra ; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A;; ANSWER SECTION:
google.com. 131 IN A 74.125.22.100
google.com. 131 IN A 74.125.22.138
google.com. 131 IN A 74.125.22.101
google.com. 131 IN A 74.125.22.139
google.com. 131 IN A 74.125.22.113
google.com. 131 IN A 74.125.22.102;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 20 msec
;; SERVER: 8.8.8.8
;; WHEN: Mon Jan 26 12:12:03 2015
;; MSG SIZE rcvd: 124So - A little bit of strange behavior and not sure why.
Without the 8.8.8.8 in the server list, all is fine EXCEPT things like drill from command prompt.Any clues?
-
I guess you should uncheck the "Do not use the DNS Forwarder as a DNS server for the firewall" in System - General. (Should see 127.0.0.1 in System Information - DNS Server(s) dashboard).
-
That is checked and all is fine and working for all clients and also for pfsense update status.
Just not for drill. No idea why.
I put my LAN IP in the server list just to see what would happen and all is well.I wouldn't mind having 8.8.8.8/8.8.4.4 in the list as long as I can be 100% sure its never going to be used by LAN clients for DNS resolution.
-
Yes. You should UNcheck that.
-
I just did as you suggested and its working fine with that being unchecked as you suggest and nothing entered into the IP list.
The only reason I ever did check that block is because just yesterday update status wouldn't work unless I checked it but today seems it is working.
Maybe I just needed to wait a bit? No idea.
Ohhhhh well - Its working now. Good enough for me.
Which button do you prefer I press? [applaud] or [smite]?
Looks like you are trying to break the record for most helpful person with most smites. haha.
-
The only reason I ever did check that block is because just yesterday update status wouldn't work unless I checked it but today seems it is working.
The updates/packages site seems to randomly become unresponsive without any good reason. (Not really any pattern but it happens much more frequently on boxes with IPv6 connectivity.)
Which button do you prefer I press? [applaud] or [smite]?
Looks like you are trying to break the record for most helpful person with most smites.LOLz… Press whatever you want. This karma thing should be nuked from the forum.
-
^ I have been clicking applaud on dok whenever I remember.. Trying to get him into the positive range where he should be ;)
Seems he ticked off someone with more desire to keep sending him down, where my buddy only did about 20 before got bored..
-
^ I have been clicking applaud on dok whenever I remember.. Trying to get him into the positive range where he should be ;)
Seems he ticked off someone with more desire to keep sending him down, where my buddy only did about 20 before got bored..
I should probably smite him for highjacking my thread ! lol ( j/k ).
By the way, the reason i had to recreate that key file is because unbound would not recreate it during bootup or startup. I didn't copy it form anywhere, I just used the unbound utility that seeds that file form somewhere.
-
okay for anybody experiencing the same issue, this is how i solved it:
rm /var/unbound/root.key
unbound-anchor -a /var/unbound/root.key
chown unbound /var/unbound/root.keyWas having a heck of a time on my 2.2.2 install with the same issue. Thanks for your help - fix worked for me! I wonder why this file gets corrupt? I was messing around with captive portal, it happened after that… not sure if that's related or coincidental.
-
I recently moved, and when I re-connected my device unbound wouldn't start.
Before I performed the required steps to recreate the root.key file, I looked at it with "cat /var/unbound/root.key"
I was surprised to find this…# The format of this file is documented in the dhcpd.leases(5) manual page. # This lease file was written by isc-dhcp-4.2.6 lease 10.0.2.135 { starts 0 2015/05/24 21:24:57; ends 0 2015/05/24 21:47:05; tstp 0 2015/05/24 21:47:05; cltt 0 2015/05/24 21:24:57; binding state free; hardware ethernet 00:0c:29:x:x:x; } lease 10.0.2.136 { starts 1 2015/05/25 17:26:23; ends 1 2015/05/25 19:26:23; tstp 1 2015/05/25 19:26:23; cltt 1 2015/05/25 17:26:23; binding state free; hardware ethernet e4:ce:8f:x:x:x; uid "\001\344\316\217*\311\226"; } lease 10.0.2.134 { starts 1 2015/05/25 17:50:13; ends 2 2015/05/26 17:50:13; tstp 2 2015/05/26 17:50:13; cltt 1 2015/05/25 17:50:13; binding state free; ....
After recreating the root.key file it looks completely different…
; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1434226551 ;;Sat Jun 13 16:15:51 2015 ;;last_success: 1434226551 ;;Sat Jun 13 16:15:51 2015 ;;next_probe_time: 1434266973 ;;Sun Jun 14 03:29:33 2015 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 ...
Is another process writing to this file and breaking unbound?
-
@beetlejelly:
Is another process writing to this file and breaking unbound?
No, that's typical of what happens when a file isn't fsynced and you lose power shortly after writing it. Should be worked around now, and reported upstream to be fixed in Unbound.
https://redmine.pfsense.org/issues/5334