fail: the anchor is NOT ok and could not be fixed

Gil_Levy · October 23, 2020, 2:51am

After a system reboot, I get the following message when I run
#> sudo systemctl status unbound

Oct 23 13:31:38 raspberrypi systemd[1]: Starting Unbound DNS server…
Oct 23 13:31:39 raspberrypi package-helper[513]: /var/lib/unbound/root.key has content
Oct 23 13:31:39 raspberrypi package-helper[513]: fail: the anchor is NOT ok and could not be fixed
Oct 23 13:31:39 raspberrypi systemd[1]: Started Unbound DNS server.

If I then issue:
#> sudo systemctl restart unbound
#> sudo systemctl status unbound

Oct 23 13:48:30 raspberrypi systemd[1]: Starting Unbound DNS server…
Oct 23 13:48:30 raspberrypi package-helper[1294]: /var/lib/unbound/root.key has content
Oct 23 13:48:30 raspberrypi package-helper[1294]: success: the anchor is ok
Oct 23 13:48:31 raspberrypi systemd[1]: Started Unbound DNS server.

Why is that?
Running unbound 1.9.0 on Debian.

Thanks.

Gil_Levy · October 27, 2020, 8:38am

Anyone?
Still couldn’t fix this on boot.
Appreciate your help.

Bernardo_Reino · October 27, 2020, 11:23am

As far as I tell unbound 1.9.0 (debian stable) includes this in /usr/lib/unbound/package-helper, which supposedly checks the validity of the trust anchor file.

env -i LANG="$LANG" PATH="$PATH" start-stop-daemon \
--chuid unbound:unbound --start \
--exec /usr/sbin/unbound-anchor -- -a "$ROOT_TRUST_ANCHOR_FILE" -v || true

This call is not present in the package-helper in e.g. unbound 1.12.0 (debian backports).

It could be that unbound-anchor tries to download the root trust anchor but fails because your resolver is set to 127.0.0.1 and unbound is not yet running

(This would explain why restarting unbound works)

In the man page of unbound-anchor they mention this issue, which can be solved by using "-f /path/to/another/resolv.conf" for bootstapping, or using "-R" which allows fallback to querying directly the root servers.

I'd suggest you edit /usr/lib/unbound/package-helper, look for the call to unbound-anchor, and add "-R" to the list of options.

Hopefully that will fix it.
(You can also edit /etc/default/unbound and set ROOT_TRUST_ANCHOR_UPDATE=false), which will just omit the (attempt) to update.

Good luck.

Gil_Levy · October 28, 2020, 1:09am

Thanks for the detailed explanation!

Are you referring to this area:

do_root_trust_anchor_update() {
if $ROOT_TRUST_ANCHOR_UPDATE; then
if [ -n “$ROOT_TRUST_ANCHOR_FILE” ]; then
if [ -r “$DNS_ROOT_KEY_FILE” ]; then
if [ ! -e “$ROOT_TRUST_ANCHOR_FILE” -o “$DNS_ROOT_KEY_FILE” -nt “$ROOT_TRUST_ANCHOR_FILE” ]; then
if [ ! -e “$ROOT_TRUST_ANCHOR_FILE” ]; then
echo “$ROOT_TRUST_ANCHOR_FILE does not exist, copying from $DNS_ROOT_KEY_FILE”
elif [ “$DNS_ROOT_KEY_FILE” -nt “$ROOT_TRUST_ANCHOR_FILE” ]; then
echo “Overwriting older file $ROOT_TRUST_ANCHOR_FILE with newer file $DNS_ROOT_KEY_FILE”
fi
install -m 0644 -o unbound -g unbound “$DNS_ROOT_KEY_FILE” “$ROOT_TRUST_ANCHOR_FILE”
fi
fi
env -i LANG=“$LANG” PATH=“$PATH” start-stop-daemon
–chuid unbound:unbound --start
–exec /usr/sbin/unbound-anchor – -a “$ROOT_TRUST_ANCHOR_FILE” -v || true
fi
fi}

Should I add the -R to --exec /usr/sbin/unbound-anchor – -a -R “$ROOT_TRUST_ANCHOR_FILE” -v || true ?

Brady_Kramer · February 14, 2021, 11:02pm

I was not successful with the -R option. However, I was successful with making the following change in raspi-config:

$ sudo raspi-config
-System Options
-Network at Boot
"Would you like boot to wait until a network connection is established?” Yes

I’m sure it’s probably not the best solution, but it works for me!

FYI - Raspberry Pi 4 Model B Rev 1.1, Raspbian GNU/Linux 10 (buster).

Would love feedback if enabling “Network at Boot” is a bad idea.