Unbound DNS DoT config contact to root server

[tillsense]

Hi all,

Unbound contacts the root server(s) at startup. With a DoT config and firewall rules that prevent port 53 makes no sense. An option in the gui to prevent this would be suitable at the point or even in this case the default?

cheers
till

[Fright]

Hi!
is 22.7.9_3 applied?

[tillsense]

Hi,
oops... yes the version is 22.7.9_3

cheers
till

[Fright]

uh...looks like unbound-checkconf is screwing up in one more place
can you test with

Code: [Select]

opnsense-patch -a kulikov-a f0f1bedplease?

[tillsense]

very nice that's ok but the unbound service starts 3 times for one start I just see?

[Fright]

sorry, I didn't quite understand )
no roots poking with the patch applied?

service starts 3 times for one start I just see?

patch only change working dir before unbound config test (unbound-checkconf chroot issue) so that a false-error does not trigger the trust anchor update
https://github.com/kulikov-a/core/commit/f0f1bed75801b097a4d53a59484c0b386cf961e7
nothing else changes in behavior

[tillsense]

yes must be older this is already longer so according to logs

[Fright]

sorry for the noise, is the problem gone or does it still shows up sometimes?

[tillsense]

Hi Fright,

currently not but i have an eye on it. why unbound start 3 times for the service runs through is not yet clear to me but thanks for your quick support and the patch!

cheers
till

[Fright]

Thanks, @tillsense

patch is merged (https://github.com/opnsense/core/pull/6197) it just remained not completely clear whether it is guaranteed to eliminate the issue

about 3-time starts: maybe there are additional inputs? unbound now starts way faster (with the py module). is it possible that you just click the Apply button on the DoT page a few times?

[tillsense]

... is it possible that you just click the Apply button on the DoT page a few times?

..no at boot the same. Logs say only start and stop 3x within 2-3min... have an internal ca so i notice that immediately.

cheers
till

[Fright]

yes, it is possible and depends on the actual system configuration and events (the patch didn't change anything about it). afaiu plugin management has "hooks" that manage plugin actions in response to system events (to let plugins "know" about system changes). for unbound it is: https://github.com/opnsense/core/blob/bdab4f6970ed0975f132bdf0879ad51b7bca3b57/src/etc/inc/plugins.inc.d/unbound.inc#L43-L48
you can see what hook triggers unbound action in general log (search by "unbound_" keyword)