<div dir="ltr"><div>Thanks for the detailed explanation!</div><div><br></div><div>Are you referring to this area:</div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(11,83,148)"><span style="background-color:rgb(243,243,243)">do_root_trust_anchor_update() {<br> if $ROOT_TRUST_ANCHOR_UPDATE; then<br> if [ -n "$ROOT_TRUST_ANCHOR_FILE" ]; then<br> if [ -r "$DNS_ROOT_KEY_FILE" ]; then<br> if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" -o "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" ]; then<br> if [ ! -e "$ROOT_TRUST_ANCHOR_FILE" ]; then<br> echo "$ROOT_TRUST_ANCHOR_FILE does not exist, copying from $DNS_ROOT_KEY_FILE"<br> elif [ "$DNS_ROOT_KEY_FILE" -nt "$ROOT_TRUST_ANCHOR_FILE" ]; then<br> echo "Overwriting older file $ROOT_TRUST_ANCHOR_FILE with newer file $DNS_ROOT_KEY_FILE"<br> fi<br> install -m 0644 -o unbound -g unbound "$DNS_ROOT_KEY_FILE" "$ROOT_TRUST_ANCHOR_FILE"<br> fi<br> fi<br> env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \<br> --chuid unbound:unbound --start \<br> --exec /usr/sbin/unbound-anchor -- -a "$ROOT_TRUST_ANCHOR_FILE" -v || true<br> fi<br> fi</span></span>}</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:verdana,sans-serif">Should I add the <b>-R </b>to <span style="font-family:monospace"><span style="color:rgb(11,83,148)"><span style="background-color:rgb(243,243,243)">
--exec /usr/sbin/unbound-anchor -- -a <b>-R </b>"$ROOT_TRUST_ANCHOR_FILE" -v || true</span></span> <span style="font-family:verdana,sans-serif">?</span></span></span></div><div><span style="font-family:verdana,sans-serif"><span style="font-family:monospace"><span style="font-family:verdana,sans-serif"><br></span></span></span></div><div><span style="font-family:verdana,sans-serif"><span style="font-family:monospace"><span style="font-family:verdana,sans-serif"><br></span></span>
</span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 27 Oct 2020 at 22:29, Bernardo Reino via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl">unbound-users@lists.nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 27/10/2020 09:38, Gil Levy via Unbound-users wrote:<br>
> Anyone?<br>
> Still couldn't fix this on boot.<br>
> Appreciate your help.<br>
> <br>
> On Fri, 23 Oct 2020 at 13:51, Gil Levy <<a href="mailto:just.gil@gmail.com" target="_blank">just.gil@gmail.com</a> <br>
> <mailto:<a href="mailto:just.gil@gmail.com" target="_blank">just.gil@gmail.com</a>>> wrote:<br>
> <br>
> After a system reboot, I get the following message when I run<br>
> #> sudo systemctl status unbound<br>
> <br>
> Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server...<br>
> Oct 23 13:31:39 raspberrypi package-helper[513]:<br>
> /var/lib/unbound/root.key has content<br>
> Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor<br>
> is NOT ok and could not be fixed*<br>
> Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.<br>
> <br>
> If I then issue:<br>
> #> sudo systemctl restart unbound<br>
> #> sudo systemctl status unbound<br>
> <br>
> Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server...<br>
> Oct 23 13:48:30 raspberrypi package-helper[1294]:<br>
> /var/lib/unbound/root.key has content<br>
> Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the<br>
> anchor is ok*<br>
> Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.<br>
> <br>
> Why is that?<br>
> Running unbound 1.9.0 on Debian.<br>
> <br>
> Thanks.<br>
<br>
As far as I tell unbound 1.9.0 (debian stable) includes this in <br>
/usr/lib/unbound/package-helper, which supposedly checks the validity of <br>
the trust anchor file.<br>
<br>
env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \<br>
--chuid unbound:unbound --start \<br>
--exec /usr/sbin/unbound-anchor -- -a <br>
"$ROOT_TRUST_ANCHOR_FILE" -v || true<br>
<br>
This call is not present in the package-helper in e.g. unbound 1.12.0 <br>
(debian backports).<br>
<br>
It could be that unbound-anchor tries to download the root trust anchor <br>
but fails because your resolver is set to 127.0.0.1 and unbound is not <br>
yet running :)<br>
<br>
(This would explain why restarting unbound works)<br>
<br>
In the man page of unbound-anchor they mention this issue, which can be <br>
solved by using "-f /path/to/another/resolv.conf" for bootstapping, or <br>
using "-R" which allows fallback to querying directly the root servers.<br>
<br>
I'd suggest you edit /usr/lib/unbound/package-helper, look for the call <br>
to unbound-anchor, and add "-R" to the list of options.<br>
<br>
Hopefully that will fix it.<br>
(You can also edit /etc/default/unbound and set <br>
ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to <br>
update.<br>
<br>
Good luck.<br>
</blockquote></div>