Project

General

Profile

Actions

Bug #12985

closed

DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access

Added by Danilo Zrenjanin 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
DNS Resolver
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

The unbound-anchor starts after every unbound service (re)start, which causes delays if there is no active Internet connection.

There is no need for unbound-anchor to update /var/unbound/root.key if DNSsec is disabled.

Actions #1

Updated by Jim Pingle 6 months ago

  • Target version set to 2.7.0
  • Plus Target Version changed from 21.02 to 22.05
Actions #3

Updated by Viktor Gurov 6 months ago

  • Assignee set to Viktor Gurov
Actions #4

Updated by Jim Pingle 6 months ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Glenn Hall 6 months ago

This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:

The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

Actions #6

Updated by Jim Pingle 6 months ago

  • Status changed from Pull Request Review to New
Actions #7

Updated by Viktor Gurov 6 months ago

Glenn Hall wrote in #note-5:

This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:

The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700

Actions #8

Updated by Jim Pingle 6 months ago

  • Status changed from New to Pull Request Review
Actions #9

Updated by Glenn Hall 6 months ago

Viktor Gurov wrote in #note-7:

Glenn Hall wrote in #note-5:

This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:

The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700

I applied the patch and it fixed the issue. I can now disable and enable DNSSEC without error. Thanks!

Actions #10

Updated by Viktor Gurov 6 months ago

  • Status changed from Pull Request Review to Resolved

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700

I applied the patch and it fixed the issue. I can now disable and enable DNSSEC without error. Thanks!

Merge:
https://github.com/pfsense/pfsense/commit/34fc7cd6b5a1b9cb9edafb13cd3dbb4142c66294

Actions #11

Updated by Jim Pingle 6 months ago

  • Subject changed from Unbound starts after a ~2 min delay if the firewall doesn't have Internet access to DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access

Updating subject for release notes.

Actions

Also available in: Atom PDF