Bug #12985
closedDNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access
0%
Description
The unbound-anchor starts after every unbound service (re)start, which causes delays if there is no active Internet connection.
There is no need for unbound-anchor to update /var/unbound/root.key if DNSsec is disabled.
Updated by Jim Pingle over 2 years ago
- Target version set to 2.7.0
- Plus Target Version changed from 21.02 to 22.05
Updated by Viktor Gurov over 2 years ago
forum topic & solution:
https://forum.netgate.com/topic/162435/unbound-service-very-slow-to-start-in-offline-setup
Updated by Viktor Gurov over 2 years ago
- Assignee set to Viktor Gurov
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Glenn Hall over 2 years ago
This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
Updated by Jim Pingle over 2 years ago
- Status changed from Pull Request Review to New
Updated by Viktor Gurov over 2 years ago
Glenn Hall wrote in #note-5:
This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Glenn Hall over 2 years ago
Viktor Gurov wrote in #note-7:
Glenn Hall wrote in #note-5:
This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unboundfix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700
I applied the patch and it fixed the issue. I can now disable and enable DNSSEC without error. Thanks!
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Resolved
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700I applied the patch and it fixed the issue. I can now disable and enable DNSSEC without error. Thanks!
Merge:
https://github.com/pfsense/pfsense/commit/34fc7cd6b5a1b9cb9edafb13cd3dbb4142c66294
Updated by Jim Pingle over 2 years ago
- Subject changed from Unbound starts after a ~2 min delay if the firewall doesn't have Internet access to DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access
Updating subject for release notes.