fail: the anchor is NOT ok and could not be fixed
Bernardo Reino
reinob at bbmk.org
Tue Oct 27 11:23:16 UTC 2020
On 27/10/2020 09:38, Gil Levy via Unbound-users wrote:
> Anyone?
> Still couldn't fix this on boot.
> Appreciate your help.
>
> On Fri, 23 Oct 2020 at 13:51, Gil Levy <just.gil at gmail.com
> <mailto:just.gil at gmail.com>> wrote:
>
> After a system reboot, I get the following message when I run
> #> sudo systemctl status unbound
>
> Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server...
> Oct 23 13:31:39 raspberrypi package-helper[513]:
> /var/lib/unbound/root.key has content
> Oct 23 13:31:39 raspberrypi package-helper[513]: *fail: the anchor
> is NOT ok and could not be fixed*
> Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.
>
> If I then issue:
> #> sudo systemctl restart unbound
> #> sudo systemctl status unbound
>
> Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server...
> Oct 23 13:48:30 raspberrypi package-helper[1294]:
> /var/lib/unbound/root.key has content
> Oct 23 13:48:30 raspberrypi package-helper[1294]: *success: the
> anchor is ok*
> Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.
>
> Why is that?
> Running unbound 1.9.0 on Debian.
>
> Thanks.
As far as I tell unbound 1.9.0 (debian stable) includes this in
/usr/lib/unbound/package-helper, which supposedly checks the validity of
the trust anchor file.
env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
--chuid unbound:unbound --start \
--exec /usr/sbin/unbound-anchor -- -a
"$ROOT_TRUST_ANCHOR_FILE" -v || true
This call is not present in the package-helper in e.g. unbound 1.12.0
(debian backports).
It could be that unbound-anchor tries to download the root trust anchor
but fails because your resolver is set to 127.0.0.1 and unbound is not
yet running :)
(This would explain why restarting unbound works)
In the man page of unbound-anchor they mention this issue, which can be
solved by using "-f /path/to/another/resolv.conf" for bootstapping, or
using "-R" which allows fallback to querying directly the root servers.
I'd suggest you edit /usr/lib/unbound/package-helper, look for the call
to unbound-anchor, and add "-R" to the list of options.
Hopefully that will fix it.
(You can also edit /etc/default/unbound and set
ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to
update.
Good luck.
More information about the Unbound-users
mailing list