Bug #12985
closed
DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access
Added by Danilo Zrenjanin about 2 years ago.
Updated about 2 years ago.
Plus Target Version:
22.05
Description
The unbound-anchor starts after every unbound service (re)start, which causes delays if there is no active Internet connection.
There is no need for unbound-anchor to update /var/unbound/root.key if DNSsec is disabled.
- Target version set to 2.7.0
- Plus Target Version changed from 21.02 to 22.05
- Assignee set to Viktor Gurov
- Status changed from New to Pull Request Review
This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
- Status changed from Pull Request Review to New
Glenn Hall wrote in #note-5:
This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700
- Status changed from New to Pull Request Review
Viktor Gurov wrote in #note-7:
Glenn Hall wrote in #note-5:
This commit seems to break enabling of DNSSEC on 2.7.0.a.20220328.0600. I previously had it enabled, disabled it, then tried to re-enable it again. When I do, I get the following error:
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/root.key: No such file or directory
[1648569147] unbound-checkconf[56468:0] fatal error: auto-trust-anchor-file: "/var/unbound/test/root.key" does not exist in chrootdir /var/unbound
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/700
I applied the patch and it fixed the issue. I can now disable and enable DNSSEC without error. Thanks!
- Status changed from Pull Request Review to Resolved
- Subject changed from Unbound starts after a ~2 min delay if the firewall doesn't have Internet access to DNS Resolver updates trust anchor at boot even with DNSSEC disabled which can lead to a startup delay of ~2 minutes if the firewall does not have Internet access
Updating subject for release notes.
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by