unbound.conf issue

Alexandre_Froissard · August 1, 2024, 8:29am

Hello everyone,

I tried to configure Unbound for my home network but at the end of the config when I checked it with “unbound-checkconf unbound.conf” I get the following answer :

afroissard@raspberrypi:/etc/unbound$ unbound-checkconf unbound.conf

[1722498296] unbound-checkconf[4199:0] error: trust anchor presented twice

[1722498296] unbound-checkconf[4199:0] error: could not parse auto-trust-anchor-file /var/lib/unbound/root.key line 2

[1722498296] unbound-checkconf[4199:0] error: error reading auto-trust-anchor-file: /var/lib/unbound/root.key

[1722498296] unbound-checkconf[4199:0] error: validator: error in trustanchors config

[1722498296] unbound-checkconf[4199:0] error: validator: could not apply configuration settings.

[1722498296] unbound-checkconf[4199:0] fatal error: bad config for validator module

afroissard@raspberrypi:/etc/unbound$

Unbound was working just fine just before I configured the unbound.conf.

Information about my host config :

afroissard@raspberrypi:/etc/unbound$ hostnamectl

Static hostname: raspberrypi

Icon name: computer

Operating System: Ubuntu 24.04 LTS

Kernel: Linux 6.8.0-1008-raspi

Architecture: arm64

afroissard@raspberrypi:/etc/unbound$

Here is how I setup resolved.conf :

DNS=127.0.0.1

#FallbackDNS=

#Domains=

DNSSEC=yes

#DNSOverTLS=no

#MulticastDNS=no

#LLMNR=no

#Cache=no-negative

#CacheFromLocalhost=no

DNSStubListener=no

#DNSStubListenerExtra=

#ReadEtcHosts=yes

#ResolveUnicastSingleLabel=no

#StaleRetentionSec=0

Here is how I setup unbound.conf :

afroissard@raspberrypi:/etc/unbound$ cat /etc/unbound/unbound.conf

include-toplevel: “/etc/unbound/unbound.conf.d/*.conf”

server:

location of the trust anchor file that enables DNSSEC

auto-trust-anchor-file: “/var/lib/unbound/root.key”

send minimal amount of information to upstream servers to enhance privacy

qname-minimisation: yes

the interface that is used to connect to the network (this will listen to all interfaces)

interface: 0.0.0.0

interface: ::0

addresses from the IP range that are allowed to connect to the resolver

access-control: 192.168.1.0/26 allow

access-control: 2001:DB8/64 allow

remote-control:

allows controling unbound using “unbound-control”

control-enable: yes

afroissard@raspberrypi:/etc/unbound$

I’m not sure if you have enough information to help me, if that’s not the case I’ll provide what you need.

Thank you in advance for your help guys !

Kind regards,

Alexandre

Yorgos · August 1, 2024, 8:45am

Hi Alexandre,

Alexandre_Froissard · August 1, 2024, 8:51am

Good morning Yorgos,

Thank you for the quick answer !

If I remove the line include-toplevel: “/etc/unbound/unbound.conf.d/*.conf” in the unbound.conf file, it should be working ?

Thank you.

Alexandre

Yorgos · August 1, 2024, 9:05am

For a definition of "working"
I mean it depends what is configured in those included files.
These files were probably there by the OS/package maintainers.
In the case of the trust anchor I would keep using the one from the system; so remove the auto-trust-anchor-file from your configuration file.

Actually, even better, I would add your configuration file as a separate file inside the /etc/unbound/unbound.conf.d directory; but first make sure you review the other configured options there.

Then /etc/unbound/unbound.conf would only include all the files under the configuration directory and won't complain between package version updates.

Best regards,
-- Yorgos

Alexandre_Froissard · August 1, 2024, 9:48am

Yorgos,

I commented # the auto-trust-anchor-file from my configuration file ans it works just fine now.

I’m not a Linux specialist.

From what I understand, removing this line will tell Ubuntu to use what was installed by default, correct ?

I’m trying to make sure removing this line has no consequences on the security of the system and/or dns service.

Thank you !

Alexandre

Yorgos · August 1, 2024, 10:13am

Removing this line does not explicitly tell anything to Unbound.
I believe one of the files under /etc/unbound/unbound.conf.d/ specifies a trust-anchor and that should be the system installed one.
You can verify yourself by looking at the files under /etc/unbound/unbound.conf.d/.

Best regards,
-- Yorgos

Alexandre_Froissard · August 1, 2024, 12:13pm

I just check and in the /etc/unbound/unbound.conf.d/ directory, I found 2 files :

afroissard@raspberrypi:/etc/unbound/unbound.conf.d$ ls -al

total 16

drwxr-xr-x 2 root root 4096 Jul 31 18:30 .

drwxr-xr-x 3 root root 4096 Aug 1 11:25 ..

-rw-r–r-- 1 root root 195 Feb 26 13:47 remote-control.conf

-rw-r–r-- 1 root root 190 Feb 26 13:47 root-auto-trust-anchor-file.conf

afroissard@raspberrypi:/etc/unbound/unbound.conf.d$

When I cat them here’s what’s inside :

afroissard@raspberrypi:/etc/unbound/unbound.conf.d$ cat root-auto-trust-anchor-file.conf

server:

The following line will configure unbound to perform cryptographic

DNSSEC validation using the root trust anchor.

auto-trust-anchor-file: “/var/lib/unbound/root.key”

afroissard@raspberrypi:/etc/unbound/unbound.conf.d$ cat remote-control.conf

remote-control:

control-enable: yes

by default the control interface is is 127.0.0.1 and ::1 and port 8953

it is possible to use a unix socket too

control-interface: /run/unbound.ctl

afroissard@raspberrypi:/etc/unbound/unbound.conf.d$

Yorgos · August 1, 2024, 12:26pm

The first file enables remote control while the second configures the trust anchor.
You can put your custom configuration file in this directory as well.
Without any include directives though.
So from your first email the contents of that file should only be:

server:
     # send minimal amount of information to upstream servers to enhance privacy
     qname-minimisation: yes
     # the interface that is used to connect to the network (this will listen to all interfaces)
     interface: 0.0.0.0
     # interface: ::0
     # addresses from the IP range that are allowed to connect to the resolver
     access-control: 192.168.1.0/26 allow
     # access-control: 2001:DB8/64 allow

And the /etc/unbound/unbound.conf file should be left at the default:

include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

Best regards,
-- Yorgos

Alexandre_Froissard · August 1, 2024, 1:24pm

Thank you very much for your help it works like a charm now

Time for me to educate myself about that kind of topic.

Have a very nice day Yorgos !

Alexandre

A_Schulze · August 1, 2024, 3:18pm

Hi Yorgos,

this reminds me about a feature I miss for a long time.

unbound-checkconf can be used to check if a given unbound.conf is valid.
unbound-checkconf can be used to query one single option and it's value.

in postfix [1] or dovecot [2] there are similar tools but they can dump
- *all* options and it's current values
- *all* options and it's builtin default values

I think, that's something that would help also here in support-cases like this one.

Andreas

[1] https://www.postfix.org/postconf.1.html
[2] https://manpages.debian.org/bookworm/dovecot-core/doveconf.1.en.html