Re: fail: the anchor is NOT ok and could not be fixed

2021-02-14 Thread Brady Kramer via Unbound-users 
I was not successful with the -R option. However, I was successful with making 
the following change in raspi-config:

$ sudo raspi-config
-System Options
-Network at Boot
"Would you like boot to wait until a network connection is established?”  Yes

I’m sure it’s probably not the best solution, but it works for me!

FYI  -  Raspberry Pi 4 Model B Rev 1.1,   Raspbian GNU/Linux 10 (buster).

Would love feedback if enabling “Network at Boot” is a bad idea.

Re: fail: the anchor is NOT ok and could not be fixed

2020-10-27 Thread Gil Levy via Unbound-users 
Thanks for the detailed explanation!

Are you referring to this area:

do_root_trust_anchor_update() {
if $ROOT_TRUST_ANCHOR_UPDATE; then
if [ -n "$ROOT_TRUST_ANCHOR_FILE" ]; then
if [ -r "$DNS_ROOT_KEY_FILE" ]; then
if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE"
-nt "$ROOT_TRUST_ANCHOR_FILE" ]; then
if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" ]; then
echo "$ROOT_TRUST_ANCHOR_FILE does not exist,
copying from $DNS_ROOT_KEY_FILE"
elif [ "$DNS_ROOT_KEY_FILE" -nt
"$ROOT_TRUST_ANCHOR_FILE" ]; then
echo "Overwriting older file
$ROOT_TRUST_ANCHOR_FILE with newer file $DNS_ROOT_KEY_FILE"
fi
install -m 0644 -o unbound -g unbound
"$DNS_ROOT_KEY_FILE" "$ROOT_TRUST_ANCHOR_FILE"
fi
fi
env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
--chuid unbound:unbound --start \
--exec /usr/sbin/unbound-anchor -- -a
"$ROOT_TRUST_ANCHOR_FILE" -v || true
fi
fi}

Should I add the *-R *to --exec /usr/sbin/unbound-anchor -- -a *-R
*"$ROOT_TRUST_ANCHOR_FILE"
-v || true ?



On Tue, 27 Oct 2020 at 22:29, Bernardo Reino via Unbound-users <
unbound-users@lists.nlnetlabs.nl> wrote:

> On 27/10/2020 09:38, Gil Levy via Unbound-users wrote:
> > Anyone?
> > Still couldn't fix this on boot.
> > Appreciate your help.
> >
> > On Fri, 23 Oct 2020 at 13:51, Gil Levy  > > wrote:
> >
> > After a system reboot, I get the following message when I run
> > #> sudo systemctl status unbound
> >
> > Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS
> server...
> > Oct 23 13:31:39 raspberrypi package-helper[513]:
> > /var/lib/unbound/root.key has content
> > Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor
> > is NOT ok and could not be fixed*
> > Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.
> >
> > If I then issue:
> > #> sudo systemctl restart unbound
> > #> sudo systemctl status unbound
> >
> > Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS
> server...
> > Oct 23 13:48:30 raspberrypi package-helper[1294]:
> > /var/lib/unbound/root.key has content
> > Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the
> > anchor is ok*
> > Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.
> >
> > Why is that?
> > Running unbound 1.9.0 on Debian.
> >
> > Thanks.
>
> As far as I tell unbound 1.9.0 (debian stable) includes this in
> /usr/lib/unbound/package-helper, which supposedly checks the validity of
> the trust anchor file.
>
> env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
>  --chuid unbound:unbound --start \
>  --exec /usr/sbin/unbound-anchor -- -a
> "$ROOT_TRUST_ANCHOR_FILE" -v || true
>
> This call is not present in the package-helper in e.g. unbound 1.12.0
> (debian backports).
>
> It could be that unbound-anchor tries to download the root trust anchor
> but fails because your resolver is set to 127.0.0.1 and unbound is not
> yet running :)
>
> (This would explain why restarting unbound works)
>
> In the man page of unbound-anchor they mention this issue, which can be
> solved by using "-f /path/to/another/resolv.conf" for bootstapping, or
> using "-R" which allows fallback to querying directly the root servers.
>
> I'd suggest you edit /usr/lib/unbound/package-helper, look for the call
> to unbound-anchor, and add "-R" to the list of options.
>
> Hopefully that will fix it.
> (You can also edit /etc/default/unbound and set
> ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to
> update.
>
> Good luck.
>

Re: fail: the anchor is NOT ok and could not be fixed

2020-10-27 Thread Bernardo Reino via Unbound-users 

On 27/10/2020 09:38, Gil Levy via Unbound-users wrote:

Anyone?
Still couldn't fix this on boot.
Appreciate your help.

On Fri, 23 Oct 2020 at 13:51, Gil Levy > wrote:


After a system reboot, I get the following message when I run
#> sudo systemctl status unbound

Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server...
Oct 23 13:31:39 raspberrypi package-helper[513]:
/var/lib/unbound/root.key has content
Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor
is NOT ok and could not be fixed*
Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.

If I then issue:
#> sudo systemctl restart unbound
#> sudo systemctl status unbound

Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server...
Oct 23 13:48:30 raspberrypi package-helper[1294]:
/var/lib/unbound/root.key has content
Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the
anchor is ok*
Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.

Why is that?
Running unbound 1.9.0 on Debian.

Thanks.


As far as I tell unbound 1.9.0 (debian stable) includes this in 
/usr/lib/unbound/package-helper, which supposedly checks the validity of 
the trust anchor file.


env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
--chuid unbound:unbound --start \
--exec /usr/sbin/unbound-anchor -- -a 
"$ROOT_TRUST_ANCHOR_FILE" -v || true


This call is not present in the package-helper in e.g. unbound 1.12.0 
(debian backports).


It could be that unbound-anchor tries to download the root trust anchor 
but fails because your resolver is set to 127.0.0.1 and unbound is not 
yet running :)


(This would explain why restarting unbound works)

In the man page of unbound-anchor they mention this issue, which can be 
solved by using "-f /path/to/another/resolv.conf" for bootstapping, or 
using "-R" which allows fallback to querying directly the root servers.


I'd suggest you edit /usr/lib/unbound/package-helper, look for the call 
to unbound-anchor, and add "-R" to the list of options.


Hopefully that will fix it.
(You can also edit /etc/default/unbound and set 
ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to 
update.


Good luck.

Re: fail: the anchor is NOT ok and could not be fixed

2020-10-27 Thread Gil Levy via Unbound-users 
Anyone?
Still couldn't fix this on boot.
Appreciate your help.

On Fri, 23 Oct 2020 at 13:51, Gil Levy  wrote:

> After a system reboot, I get the following message when I run
> #> sudo systemctl status unbound
>
> Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server...
> Oct 23 13:31:39 raspberrypi package-helper[513]: /var/lib/unbound/root.key
> has content
> Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor is NOT
> ok and could not be fixed*
> Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.
>
> If I then issue:
> #> sudo systemctl restart unbound
> #> sudo systemctl status unbound
>
> Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server...
> Oct 23 13:48:30 raspberrypi package-helper[1294]:
> /var/lib/unbound/root.key has content
> Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the anchor is
> ok*
> Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.
>
> Why is that?
> Running unbound 1.9.0 on Debian.
>
> Thanks.
>
>

fail: the anchor is NOT ok and could not be fixed

2020-10-22 Thread Gil Levy via Unbound-users 
After a system reboot, I get the following message when I run
#> sudo systemctl status unbound

Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server...
Oct 23 13:31:39 raspberrypi package-helper[513]: /var/lib/unbound/root.key
has content
Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor is NOT
ok and could not be fixed*
Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.

If I then issue:
#> sudo systemctl restart unbound
#> sudo systemctl status unbound

Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server...
Oct 23 13:48:30 raspberrypi package-helper[1294]: /var/lib/unbound/root.key
has content
Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the anchor is
ok*
Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.

Why is that?
Running unbound 1.9.0 on Debian.

Thanks.