Thanks for the detailed explanation! Are you referring to this area:
do_root_trust_anchor_update() { if $ROOT_TRUST_ANCHOR_UPDATE; then if [ -n "$ROOT_TRUST_ANCHOR_FILE" ]; then if [ -r "$DNS_ROOT_KEY_FILE" ]; then if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" ]; then if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" ]; then echo "$ROOT_TRUST_ANCHOR_FILE does not exist, copying from $DNS_ROOT_KEY_FILE" elif [ "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" ]; then echo "Overwriting older file $ROOT_TRUST_ANCHOR_FILE with newer file $DNS_ROOT_KEY_FILE" fi install -m 0644 -o unbound -g unbound "$DNS_ROOT_KEY_FILE" "$ROOT_TRUST_ANCHOR_FILE" fi fi env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \ --chuid unbound:unbound --start \ --exec /usr/sbin/unbound-anchor -- -a "$ROOT_TRUST_ANCHOR_FILE" -v || true fi fi} Should I add the *-R *to --exec /usr/sbin/unbound-anchor -- -a *-R *"$ROOT_TRUST_ANCHOR_FILE" -v || true ? On Tue, 27 Oct 2020 at 22:29, Bernardo Reino via Unbound-users < unbound-users@lists.nlnetlabs.nl> wrote: > On 27/10/2020 09:38, Gil Levy via Unbound-users wrote: > > Anyone? > > Still couldn't fix this on boot. > > Appreciate your help. > > > > On Fri, 23 Oct 2020 at 13:51, Gil Levy <just....@gmail.com > > <mailto:just....@gmail.com>> wrote: > > > > After a system reboot, I get the following message when I run > > #> sudo systemctl status unbound > > > > Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS > server... > > Oct 23 13:31:39 raspberrypi package-helper[513]: > > /var/lib/unbound/root.key has content > > Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor > > is NOT ok and could not be fixed* > > Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server. > > > > If I then issue: > > #> sudo systemctl restart unbound > > #> sudo systemctl status unbound > > > > Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS > server... > > Oct 23 13:48:30 raspberrypi package-helper[1294]: > > /var/lib/unbound/root.key has content > > Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the > > anchor is ok* > > Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server. > > > > Why is that? > > Running unbound 1.9.0 on Debian. > > > > Thanks. > > As far as I tell unbound 1.9.0 (debian stable) includes this in > /usr/lib/unbound/package-helper, which supposedly checks the validity of > the trust anchor file. > > env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \ > --chuid unbound:unbound --start \ > --exec /usr/sbin/unbound-anchor -- -a > "$ROOT_TRUST_ANCHOR_FILE" -v || true > > This call is not present in the package-helper in e.g. unbound 1.12.0 > (debian backports). > > It could be that unbound-anchor tries to download the root trust anchor > but fails because your resolver is set to 127.0.0.1 and unbound is not > yet running :) > > (This would explain why restarting unbound works) > > In the man page of unbound-anchor they mention this issue, which can be > solved by using "-f /path/to/another/resolv.conf" for bootstapping, or > using "-R" which allows fallback to querying directly the root servers. > > I'd suggest you edit /usr/lib/unbound/package-helper, look for the call > to unbound-anchor, and add "-R" to the list of options. > > Hopefully that will fix it. > (You can also edit /etc/default/unbound and set > ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to > update. > > Good luck. >