Revert unbound to 18.7.7 - not possible?

[chemlud]

Hello again!

Have here a fresh install of 19.1.1 amd64 with LibreSSL and DNS over TLS configured. Unbound not stable under these conditions, see here

https://forum.opnsense.org/index.php?topic=7811.msg48949#msg48949


:-(

But if I try to revert unbound to the version doing fine with 18.7.x, by

Code: [Select]

opnsense-revert -r 18.7.7 unbound
I only get "Fetching unbound.txz... failed"

(while unbound is UP und running).

Is it not possible to run 19.1.1 with this old version of unbound?

___________________

Was it only a problem with Suricata (not yet) configured correctly (and therefore not starting up)? Now Unbound has been stable for quite some time.

[franco]

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/18.7/MINT/18.7.5/LibreSSL/All/unbound-1.7.3.txz

Unbound 1.9.0 will hit 19.1.2 along with LibreSSL 2.8.3... Can't get worse in that regard I hope.


Cheers,
Franco

[chemlud]

... since my post unbound has been stable. Amazing!

Will try to update (fresh install + config) my systems over the weekend to see how 19.1.1 does on the different platforms :-)

[chemlud]

But 3 min later unbound exited on signal 11....

[chemlud]

Hi Franco, the command you provided downgrades unbound to 1.7.3. However, on my other LibreSSL/DNSoverTLS installs I have 1.8.1 (locked since 18.7.9), which is doing fine.

I upgrade now the 18.7.9 (via 18.7.10.4) to 19.1.1, hopefully this release will play nice with unbound 1.8.1... (otherwise will have to downgrade).

[chemlud]

ooops, didn't know that package lock will not survive upgrade to 19.1.1... so reverted unbound to 1.7.3.

[franco]

Yes, safety measure on major upgrades, otherwise things may break leaving the system in a defunct state.


Cheers,
Franco

[chemlud]

Meanwhile I updated 2 systems with 19.1.1/LibreSSL to unbound 1.8.1, which seems to do fine. So the problem is somewhere between 1.8.1 and 1.8.2 or 1.8.3.

Unbound 1.8.3 with DNSoverTLS is doing fine with 19.1.1 when using OpenSSL, as expected.

[chemlud]

I updated to 19.1.2 with unbound locked to version 1.8.1. After reboot unbound simply doesn't start, nothing in the logs. I tried to replace the pkg.opnsense.org by the IP but get SSL certificate error when trying to download unbound.

No DNS here, any ideas how to resolve? 

[chemlud]

OK, switched to DNSmasq and updated unbound to 1.9.0_1, let's see if it'S stable with DNS over TLS and LibreSSL :-)

[chemlud]

Update on: DNS over TLS (unbound) with LibreSSL

Apparently unbound 1.9.0_1 is stable in this setup (tested for 2-3 hours now... keep fingers crossed). :-D

[franco]

Not sure what went wrong here with the locked package, but keeping fingers crossed for 1.9.0 indeed...


Cheers,
Franco

[chemlud]

...took about 24 h hours, but then exited unbound on "signal 11" according to System log...

will try to downgrade unbound and see if it starts with 19.1.2...

[chemlud]

Downgraded to unbound 1.8.1, which will not start due to

Code: [Select]

Mar 2 11:40:07 opnsense: /status_services.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was 'Shared object "libssl.so.45" not found, required by "unbound"'
in the sys log.

[chemlud]

Is there sumfink like a "service watchdog" which could monitor unbound and restart if it dies away? :-)