Re: 7.2: unbound(timeout) on startup
On 2022-11-15, Courtney wrote: > I had a similar issue going from 7.1 -> 7.2 (though looking back, I > think the issue is > I made my config change and never rebooted until I upgraded to 7.1). Different issue I think. > However, my issue was not so much unbound waiting for an interface, but > rather I wanted to allow listening on IPv6 and thus added my router's IPv6 > address to be an interface. Since the IP didn't exist (since I had to > wait for > dhcpcd to get the delegation) I had to change my order of operations since > unbound would start before dhcpcd. unbound is an early boot script, so > setting the order with rcctl doesn't work. My solution was to disable > unbound. > > rcctl disable unbound > > Then add it to /etc/rc.local: > > rcctl -f start unbound > > Now unbound starts last when everything else is done. It might be simpler to use interface-automatic and listen on :: and 0.0.0.0 rather than waiting (also more robust as it should still work on v4 in case for some reason you don't get the v6 prefix delegation)
Re: 7.2: unbound(timeout) on startup
I had a similar issue going from 7.1 -> 7.2 (though looking back, I think the issue is I made my config change and never rebooted until I upgraded to 7.1). However, my issue was not so much unbound waiting for an interface, but rather I wanted to allow listening on IPv6 and thus added my router's IPv6 address to be an interface. Since the IP didn't exist (since I had to wait for dhcpcd to get the delegation) I had to change my order of operations since unbound would start before dhcpcd. unbound is an early boot script, so setting the order with rcctl doesn't work. My solution was to disable unbound. rcctl disable unbound Then add it to /etc/rc.local: rcctl -f start unbound Now unbound starts last when everything else is done. Courtney On 11/9/22 12:24, Jonathan Thornburg wrote: Hi, since upgrading my router to 7.1 unbound doesn't start up automatically anymore, instead it times out: starting early daemons: syslogd pflogd unbound(timeout) ntpd. It can be started successfully manually later. This setup worked with 7.0. I have a very similar configuration (apu2 acting as a firewall/router for home network), with a similar unbound.conf (given below) which is working fine as of 7.1-stable. I recently switched from one ISP to another and there was no problem (literally: unplug ethernet cable from $OLD_ISP router, plug into $NEW_ISP router, reboot firewall). My outside interface has --- begin /etc/hostname.em0 --- inet autoconf --- end /etc/hostname.em0 --- Does the -d unbound flag give any useful output for you? More generally, how are you starting unbound, i.e., what (if any) flags are you passing in /etc/rc.conf.local? I have --- begin /etc/rc.conf.local --- dhcpd_flags="em1 em2 em3" unbound_flags="" dhcpleased_flags= --- end /etc/rc.conf.local --- Here is my unbound.conf --- begin /var/unbound/etc/unbound.conf --- # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ server: interface: 127.0.0.1 interface: em1 # wired interface: em2 # wifi interface: em3 # voip #interface: 127.0.0.1@5353 # listen on alternative port #interface: ::1 do-ip6: no prefer-ip4: yes # override the default "any" address to send queries; if multiple # addresses are available, they are used randomly to counter spoofing #outgoing-interface: 192.0.2.1 #outgoing-interface: 2001:db8::53 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: 192.168.155.0/24 allow # any internal address private-address: 192.168.0.0/16 # block DNS rebinding attacks # where local browser becomes # a trojen hide-identity: yes hide-version: yes # Perform DNSSEC validation. # root-hints: "/var/unbound/etc/root.hints" auto-trust-anchor-file: "/var/unbound/db/root.key" qname-minimisation: yes #val-log-level: 2 # Synthesize NXDOMAINs from DNSSEC NSEC chains. # https://tools.ietf.org/html/rfc8198 # #aggressive-nsec: yes # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. # #local-zone: "local." static #local-data: "mycomputer.local. IN A 192.0.2.51" #local-zone: "2.0.192.in-addr.arpa." static #local-data-ptr: "192.0.2.51 mycomputer.local" # Use TCP for "forward-zone" requests. Useful if you are making # DNS requests over an SSH port forwarding. # #tcp-upstream: yes # CA Certificates used for forward-tls-upstream (RFC7858) hostname # verification. Since it's outside the chroot it is only loaded at # startup and thus cannot be changed via a reload. tls-cert-bundle: "/etc/ssl/cert.pem" remote-control: control-enable: yes control-interface: /var/run/unbound.sock # Use an upstream forwarder (recursive resolver) for some or all zones. # forward-zone: name: "." # use for ALL queries ##forward-addr: 192.168.1.254 # Telus router # next non-comment line configures Cloudflare DNS-over-TLS # ... hostname after the '#' is not a comment, it is used for TLS checks forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-tls-upstream: yes forward-first: no # don't fallback to insecure DNS --- end /var/unbound/etc/unbound.conf --- ciao,
Re: 7.2: unbound(timeout) on startup
On 2022-11-10, Martin Schröder wrote: > Am Do., 10. Nov. 2022 um 11:22 Uhr schrieb Stuart Henderson >: >> On 2022-11-09, Martin Schröder wrote: >> > Am Do., 10. Nov. 2022 um 00:02 Uhr schrieb Martin Schröder >> > : >> >> This happens only on bootup of the machine... :-( >> > >> > I've tried hard to get any log messages for this, but failed so far. >> > Neither setting a log file for unbound nor "unbound_flags=-d -d" >> > produced any output. >> >> If you use dnssec validation, it's probably the rc-script trying >> to fetch the anchor. > > I do, so it's very possible. Any idea how to get logging from there > during bootup? The only way to do that is to modify the rc.d script.
Re: 7.2: unbound(timeout) on startup
Am Do., 10. Nov. 2022 um 11:22 Uhr schrieb Stuart Henderson : > On 2022-11-09, Martin Schröder wrote: > > Am Do., 10. Nov. 2022 um 00:02 Uhr schrieb Martin Schröder > > : > >> This happens only on bootup of the machine... :-( > > > > I've tried hard to get any log messages for this, but failed so far. > > Neither setting a log file for unbound nor "unbound_flags=-d -d" > > produced any output. > > If you use dnssec validation, it's probably the rc-script trying > to fetch the anchor. I do, so it's very possible. Any idea how to get logging from there during bootup? Best Martin
Re: 7.2: unbound(timeout) on startup
On 2022-11-10, Jan Stary wrote: > On Nov 10 00:39:59, mar...@oneiros.de wrote: >> Am Do., 10. Nov. 2022 um 00:25 Uhr schrieb Jan Stary : >> > With my current ISP, putting >> > >> > ifconfig pppoe0 down >> > >> > into rc.shutdown makes the subsequent boot faster with respect to pppoe. >> > I suspect it's waht you say: the session gets "terminated properly" >> > somehow; without it, it takes longer before the ISP assigns me >> > an address. >> >> That helped, thanks! >> >> > !while ! ifconfig pppoe0 | grep -F 185.63.96.79; do date ; sleep 10; done >> > >> > at the end oh hostname.pppoe makes sure services only start >> > after I have an address; and dmesg -s shows the waiting, if any. >> > (Of course, I know the address here - tweak as needed.) >> >> What happens when your pppoe doesn't come up? > > It always comes up, eventually. > But if I don't down the device, it might be minutes. for i in `seq 30`; do ifconfig pppoe0 | grep inet | fgrep -w 0.0.0.0 || continue sleep 1 done -- Please keep replies on the mailing list.
Re: 7.2: unbound(timeout) on startup
On 2022-11-09, Martin Schröder wrote: > Am Do., 10. Nov. 2022 um 00:02 Uhr schrieb Martin Schröder > : >> This happens only on bootup of the machine... :-( > > I've tried hard to get any log messages for this, but failed so far. > Neither setting a log file for unbound nor "unbound_flags=-d -d" > produced any output. If you use dnssec validation, it's probably the rc-script trying to fetch the anchor. -- Please keep replies on the mailing list.
Re: 7.2: unbound(timeout) on startup
On Nov 10 00:39:59, mar...@oneiros.de wrote: > Am Do., 10. Nov. 2022 um 00:25 Uhr schrieb Jan Stary : > > With my current ISP, putting > > > > ifconfig pppoe0 down > > > > into rc.shutdown makes the subsequent boot faster with respect to pppoe. > > I suspect it's waht you say: the session gets "terminated properly" > > somehow; without it, it takes longer before the ISP assigns me > > an address. > > That helped, thanks! > > > !while ! ifconfig pppoe0 | grep -F 185.63.96.79; do date ; sleep 10; done > > > > at the end oh hostname.pppoe makes sure services only start > > after I have an address; and dmesg -s shows the waiting, if any. > > (Of course, I know the address here - tweak as needed.) > > What happens when your pppoe doesn't come up? It always comes up, eventually. But if I don't down the device, it might be minutes.
Re: 7.2: unbound(timeout) on startup
Am Do., 10. Nov. 2022 um 00:25 Uhr schrieb Jan Stary : > With my current ISP, putting > > ifconfig pppoe0 down > > into rc.shutdown makes the subsequent boot faster with respect to pppoe. > I suspect it's waht you say: the session gets "terminated properly" > somehow; without it, it takes longer before the ISP assigns me > an address. That helped, thanks! > !while ! ifconfig pppoe0 | grep -F 185.63.96.79; do date ; sleep 10; done > > at the end oh hostname.pppoe makes sure services only start > after I have an address; and dmesg -s shows the waiting, if any. > (Of course, I know the address here - tweak as needed.) What happens when your pppoe doesn't come up? Best Martin
Re: 7.2: unbound(timeout) on startup
On Nov 09 22:51:08, stu.li...@spacehopper.org wrote: > On 2022-11-09, Jonathan Thornburg wrote: > > Hi, > > > >> I suspect that pppoe is a bit slow at startup, so unbound somehow times out > >> but has no problems once the network setup/the machine is stable. > > The only times I've seen ISPs take more than a few seconds to do pppoe > (unless they're broken) are if they have an old session hanging around > from a reboot or crash where the previous session wasn't terminated > cleanly. With my current ISP, putting ifconfig pppoe0 down into rc.shutdown makes the subsequent boot faster with respect to pppoe. I suspect it's waht you say: the session gets "terminated properly" somehow; without it, it takes longer before the ISP assigns me an address. > > It's an ugly kludge, but what if you put a wrapper script around the > > unbound binary which delays 30 or 60 seconds before executing the actual > > unbound binary? > > "!sleep 30" or something in hostname.pppoe0 after "up"? !while ! ifconfig pppoe0 | grep -F 185.63.96.79; do date ; sleep 10; done at the end oh hostname.pppoe makes sure services only start after I have an address; and dmesg -s shows the waiting, if any. (Of course, I know the address here - tweak as needed.) Jan
Re: 7.2: unbound(timeout) on startup
Am Do., 10. Nov. 2022 um 00:02 Uhr schrieb Martin Schröder : > This happens only on bootup of the machine... :-( I've tried hard to get any log messages for this, but failed so far. Neither setting a log file for unbound nor "unbound_flags=-d -d" produced any output. Best Martin
Re: 7.2: unbound(timeout) on startup
Am Mi., 9. Nov. 2022 um 23:51 Uhr schrieb Stuart Henderson : > On 2022-11-09, Jonathan Thornburg wrote: > The only times I've seen ISPs take more than a few seconds to do pppoe > (unless they're broken) are if they have an old session hanging around > from a reboot or crash where the previous session wasn't terminated > cleanly. This happens only on bootup of the machine... :-( Best Martin
Re: 7.2: unbound(timeout) on startup
On 2022-11-09, Jonathan Thornburg wrote: > Hi, > >> I suspect that pppoe is a bit slow at startup, so unbound somehow times out >> but has no problems once the network setup/the machine is stable. The only times I've seen ISPs take more than a few seconds to do pppoe (unless they're broken) are if they have an old session hanging around from a reboot or crash where the previous session wasn't terminated cleanly. > It's an ugly kludge, but what if you put a wrapper script around the > unbound binary which delays 30 or 60 seconds before executing the actual > unbound binary? "!sleep 30" or something in hostname.pppoe0 after "up"? -- Please keep replies on the mailing list.
Re: 7.2: unbound(timeout) on startup
Hi, > I suspect that pppoe is a bit slow at startup, so unbound somehow times out > but has no problems once the network setup/the machine is stable. It's an ugly kludge, but what if you put a wrapper script around the unbound binary which delays 30 or 60 seconds before executing the actual unbound binary? ciao, -- -- "Jonathan Thornburg [remove -color to reply]" on the west coast of Canada "Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed UKP10,000 and legged it, that was `impersonation', and it was the bank's money that had been stolen, not my identity. How did things change?" -- Ross Anderson
Re: 7.2: unbound(timeout) on startup
Am Mi., 9. Nov. 2022 um 21:25 Uhr schrieb Jonathan Thornburg : > --- begin /etc/hostname.em0 --- > inet autoconf > --- end /etc/hostname.em0 --- Well, this is DTAG vDSL, so I have -- begin /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE \ pppoedev vlan7 authproto pap \ authname foo authkey bar \ up dest 0.0.0.1 inet6 autoconf !/sbin/route add default -ifp pppoe0 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -- end /etc/hostname.pppoe0 -- begin /etc/hostname.vlan7 vnetid 7 parent em1 up -- end /etc/hostname.vlan7 -- begin /etc/hostname.em1 up -- end /etc/hostname.em1 And I have -- begin /etc/resolv.conf.tail lookup file bind family inet6 inet4 -- end /etc/resolv.conf.tail > Does the -d unbound flag give any useful output for you? More generally, > how are you starting unbound, i.e., what (if any) flags are you passing in > /etc/rc.conf.local? I have None. I suspect that pppoe is a bit slow at startup, so unbound somehow times out but has no problems once the network setup/the machine is stable. Best Martin
Re: 7.2: unbound(timeout) on startup
Hi, > since upgrading my router to 7.1 unbound doesn't start up automatically > anymore, > instead it times out: > > starting early daemons: syslogd pflogd unbound(timeout) ntpd. > > It can be started successfully manually later. This setup worked with 7.0. I have a very similar configuration (apu2 acting as a firewall/router for home network), with a similar unbound.conf (given below) which is working fine as of 7.1-stable. I recently switched from one ISP to another and there was no problem (literally: unplug ethernet cable from $OLD_ISP router, plug into $NEW_ISP router, reboot firewall). My outside interface has --- begin /etc/hostname.em0 --- inet autoconf --- end /etc/hostname.em0 --- Does the -d unbound flag give any useful output for you? More generally, how are you starting unbound, i.e., what (if any) flags are you passing in /etc/rc.conf.local? I have --- begin /etc/rc.conf.local --- dhcpd_flags="em1 em2 em3" unbound_flags="" dhcpleased_flags= --- end /etc/rc.conf.local --- Here is my unbound.conf --- begin /var/unbound/etc/unbound.conf --- # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $ server: interface: 127.0.0.1 interface: em1 # wired interface: em2 # wifi interface: em3 # voip #interface: 127.0.0.1@5353 # listen on alternative port #interface: ::1 do-ip6: no prefer-ip4: yes # override the default "any" address to send queries; if multiple # addresses are available, they are used randomly to counter spoofing #outgoing-interface: 192.0.2.1 #outgoing-interface: 2001:db8::53 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: 192.168.155.0/24 allow # any internal address private-address: 192.168.0.0/16 # block DNS rebinding attacks # where local browser becomes # a trojen hide-identity: yes hide-version: yes # Perform DNSSEC validation. # root-hints: "/var/unbound/etc/root.hints" auto-trust-anchor-file: "/var/unbound/db/root.key" qname-minimisation: yes #val-log-level: 2 # Synthesize NXDOMAINs from DNSSEC NSEC chains. # https://tools.ietf.org/html/rfc8198 # #aggressive-nsec: yes # Serve zones authoritatively from Unbound to resolver clients. # Not for external service. # #local-zone: "local." static #local-data: "mycomputer.local. IN A 192.0.2.51" #local-zone: "2.0.192.in-addr.arpa." static #local-data-ptr: "192.0.2.51 mycomputer.local" # Use TCP for "forward-zone" requests. Useful if you are making # DNS requests over an SSH port forwarding. # #tcp-upstream: yes # CA Certificates used for forward-tls-upstream (RFC7858) hostname # verification. Since it's outside the chroot it is only loaded at # startup and thus cannot be changed via a reload. tls-cert-bundle: "/etc/ssl/cert.pem" remote-control: control-enable: yes control-interface: /var/run/unbound.sock # Use an upstream forwarder (recursive resolver) for some or all zones. # forward-zone: name: "." # use for ALL queries ##forward-addr: 192.168.1.254 # Telus router # next non-comment line configures Cloudflare DNS-over-TLS # ... hostname after the '#' is not a comment, it is used for TLS checks forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-tls-upstream: yes forward-first: no # don't fallback to insecure DNS --- end /var/unbound/etc/unbound.conf --- ciao, -- -- "Jonathan Thornburg [remove -color to reply]" on the west coast of Canada "Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed UKP10,000 and legged it, that was `impersonation', and it was the bank's money that had been stolen, not my identity. How did things change?" -- Ross Anderson
7.2: unbound(timeout) on startup
Hi, since upgrading my router to 7.1 unbound doesn't start up automatically anymore, instead it times out: starting early daemons: syslogd pflogd unbound(timeout) ntpd. It can be started successfully manually later. This setup worked with 7.0. System is an apu acting as a firewall/router for my home network; outside connectivity is German Telecom DSL via pppoe. dmesg: http://oneiros.de/privat/openbsd/dmesg.txt unbound.conf: http://oneiros.de/privat/openbsd/unbound.conf Any idea how to debug or fix this? Thanks in advance Martin
