Thanks for the detailed explanation!
Are you referring to this area:
do_root_trust_anchor_update() {
if $ROOT_TRUST_ANCHOR_UPDATE; then
if [ -n "$ROOT_TRUST_ANCHOR_FILE" ]; then
if [ -r "$DNS_ROOT_KEY_FILE" ]; then
if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE"
-nt "$ROOT_TRUST_ANCHOR_FILE" ]; then
if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" ]; then
echo "$ROOT_TRUST_ANCHOR_FILE does not exist,
copying from $DNS_ROOT_KEY_FILE"
elif [ "$DNS_ROOT_KEY_FILE" -nt
"$ROOT_TRUST_ANCHOR_FILE" ]; then
echo "Overwriting older file
$ROOT_TRUST_ANCHOR_FILE with newer file $DNS_ROOT_KEY_FILE"
fi
install -m 0644 -o unbound -g unbound
"$DNS_ROOT_KEY_FILE" "$ROOT_TRUST_ANCHOR_FILE"
fi
fi
env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
--chuid unbound:unbound --start \
--exec /usr/sbin/unbound-anchor -- -a
"$ROOT_TRUST_ANCHOR_FILE" -v || true
fi
fi}
Should I add the *-R *to --exec /usr/sbin/unbound-anchor -- -a *-R
*"$ROOT_TRUST_ANCHOR_FILE"
-v || true ?
On Tue, 27 Oct 2020 at 22:29, Bernardo Reino via Unbound-users <
unbound-users@lists.nlnetlabs.nl> wrote:
> On 27/10/2020 09:38, Gil Levy via Unbound-users wrote:
> > Anyone?
> > Still couldn't fix this on boot.
> > Appreciate your help.
> >
> > On Fri, 23 Oct 2020 at 13:51, Gil Levy <just....@gmail.com
> > <mailto:just....@gmail.com>> wrote:
> >
> > After a system reboot, I get the following message when I run
> > #> sudo systemctl status unbound
> >
> > Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS
> server...
> > Oct 23 13:31:39 raspberrypi package-helper[513]:
> > /var/lib/unbound/root.key has content
> > Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor
> > is NOT ok and could not be fixed*
> > Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.
> >
> > If I then issue:
> > #> sudo systemctl restart unbound
> > #> sudo systemctl status unbound
> >
> > Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS
> server...
> > Oct 23 13:48:30 raspberrypi package-helper[1294]:
> > /var/lib/unbound/root.key has content
> > Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the
> > anchor is ok*
> > Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.
> >
> > Why is that?
> > Running unbound 1.9.0 on Debian.
> >
> > Thanks.
>
> As far as I tell unbound 1.9.0 (debian stable) includes this in
> /usr/lib/unbound/package-helper, which supposedly checks the validity of
> the trust anchor file.
>
> env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
> --chuid unbound:unbound --start \
> --exec /usr/sbin/unbound-anchor -- -a
> "$ROOT_TRUST_ANCHOR_FILE" -v || true
>
> This call is not present in the package-helper in e.g. unbound 1.12.0
> (debian backports).
>
> It could be that unbound-anchor tries to download the root trust anchor
> but fails because your resolver is set to 127.0.0.1 and unbound is not
> yet running :)
>
> (This would explain why restarting unbound works)
>
> In the man page of unbound-anchor they mention this issue, which can be
> solved by using "-f /path/to/another/resolv.conf" for bootstapping, or
> using "-R" which allows fallback to querying directly the root servers.
>
> I'd suggest you edit /usr/lib/unbound/package-helper, look for the call
> to unbound-anchor, and add "-R" to the list of options.
>
> Hopefully that will fix it.
> (You can also edit /etc/default/unbound and set
> ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to
> update.
>
> Good luck.
>
