fail: the anchor is NOT ok and could not be fixed

Bernardo Reino reinob at bbmk.org
Tue Oct 27 11:23:16 UTC 2020 

On 27/10/2020 09:38, Gil Levy via Unbound-users wrote:
> Anyone?
> Still couldn't fix this on boot.
> Appreciate your help.
> 
> On Fri, 23 Oct 2020 at 13:51, Gil Levy <just.gil at gmail.com 
> <mailto:just.gil at gmail.com>> wrote:
> 
>     After a system reboot, I get the following message when I run
>     #> sudo systemctl status unbound
> 
>     Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server...
>     Oct 23 13:31:39 raspberrypi package-helper[513]:
>     /var/lib/unbound/root.key has content
>     Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor
>     is NOT ok and could not be fixed*
>     Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.
> 
>     If I then issue:
>     #> sudo systemctl restart unbound
>     #> sudo systemctl status unbound
> 
>     Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server...
>     Oct 23 13:48:30 raspberrypi package-helper[1294]:
>     /var/lib/unbound/root.key has content
>     Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the
>     anchor is ok*
>     Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.
> 
>     Why is that?
>     Running unbound 1.9.0 on Debian.
> 
>     Thanks.

As far as I tell unbound 1.9.0 (debian stable) includes this in 
/usr/lib/unbound/package-helper, which supposedly checks the validity of 
the trust anchor file.

env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
                 --chuid unbound:unbound --start \
                 --exec /usr/sbin/unbound-anchor -- -a 
"$ROOT_TRUST_ANCHOR_FILE" -v || true

This call is not present in the package-helper in e.g. unbound 1.12.0 
(debian backports).

It could be that unbound-anchor tries to download the root trust anchor 
but fails because your resolver is set to 127.0.0.1 and unbound is not 
yet running :)

(This would explain why restarting unbound works)

In the man page of unbound-anchor they mention this issue, which can be 
solved by using "-f /path/to/another/resolv.conf" for bootstapping, or 
using "-R" which allows fallback to querying directly the root servers.

I'd suggest you edit /usr/lib/unbound/package-helper, look for the call 
to unbound-anchor, and add "-R" to the list of options.

Hopefully that will fix it.
(You can also edit /etc/default/unbound and set 
ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to 
update.

Good luck.

More information about the Unbound-users mailing list