Bug #12985: DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #12985

closed

DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access

Added by Danilo Zrenjanin over 2 years ago. Updated over 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Viktor Gurov

Category:

DNS Resolver

Target version:

2.7.0

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

22.05

Release Notes:

Default

Affected Version:

2.6.0

Affected Architecture:

Description

The unbound-anchor starts after every unbound service (re)start, which causes delays if there is no active Internet connection.

There is no need for unbound-anchor to update /var/unbound/root.key if DNSsec is disabled.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Target version set to 2.7.0
Plus Target Version changed from 21.02 to 22.05

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

forum topic & solution:
https://forum.netgate.com/topic/162435/unbound-service-very-slow-to-start-in-offline-setup

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Assignee set to Viktor Gurov

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/688

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from New to Pull Request Review

Actions

Copy link

Updated by Glenn Hall over 2 years ago

This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:

The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/root.key: No such file or directory [1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from Pull Request Review to New

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Glenn Hall wrote in #note-5:

This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:

The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/root.key: No such file or directory [1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from New to Pull Request Review

Actions

Copy link

Updated by Glenn Hall over 2 years ago

Viktor Gurov wrote in #note-7:

Glenn Hall wrote in #note-5:

This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:

The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/root.key: No such file or directory [1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700

I applied the patch and it fixed the issue. I can now disable and enable DNSSEC without error. Thanks!

Actions

Copy link

#10

Updated by Viktor Gurov over 2 years ago

Status changed from Pull Request Review to Resolved

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700

I applied the patch and it fixed the issue. I can now disable and enable DNSSEC without error. Thanks!

Merge:
https://github.com/pfsense/pfsense/commit/34fc7cd6b5a1b9cb9edafb13cd3dbb4142c66294

Actions

Copy link

#11

Updated by Jim Pingle over 2 years ago

Subject changed from Unbound starts after a ~2 min delay if the firewall doesn't have Internet access to DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access

Updating subject for release notes.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #12985

DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access

Updated by Jim Pingle over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Jim Pingle over 2 years ago

Updated by Glenn Hall over 2 years ago

Updated by Jim Pingle over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Jim Pingle over 2 years ago

Updated by Glenn Hall over 2 years ago

Updated by Viktor Gurov over 2 years ago

Updated by Jim Pingle over 2 years ago