DNS KSK rollover, local_unbound and 11.2-STABLE
Eugene Grosbein
eugen at grosbein.net
Sat Oct 13 10:58:48 UTC 2018
13.10.2018 17:16, Dag-Erling Smørgrav wrote:
> Eugene Grosbein <eugen at grosbein.net> writes:
>> The commands "unbound-anchor -vv; cat /var/unbound/root.key" show:
>> [...]
>> ; created by unbound-anchor on Sat Oct 13 14:28:12 2018
>> . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>> . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
>>
>> Several seconds later, "cat /var/unbound/root.key" shows:
>> [...]
>> It seems, distinct processes update the file and one of them fails.
>
> You're supposed to run unbound-anchor *before* starting unbound (and the
> rc script will automatically do that if /var/unbound/root.key does not
> exist). What you're seeing now is unbound periodically overwriting
> root.key with what it has in memory.
This nanobsd does not have root.key in its persistent configuration
and runs mpd5 from ports as PPPoE client for global connectivity.
According to rcorder, /etc/rc.d/local_unbound runs BEFORE: NETWORKING
and much earlier then /usr/local/etc/rc.d/mpd5 is started that REQUIRES: SERVERS
So, local_unbound startup script has no chance to update root.key with unbound-anchor
and the unbound daemon starts with no root.key at all.
/etc/unbound is symlink to /var/unbound here.
More information about the freebsd-net
mailing list