-
-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd nss-lookup.target is reached before unbound can successfully answer queries #296
Comments
If you want unbound to be delayed until nss-lookup has done, you should make it wait for that? I mean, make the nss-lookup.target wait for the unbound target to be done? Or a pseudo target like the network-online.target for name resolution? I think this is done in systemd by making the target require the other target that it needs to wait for. You need to then add those wait require lines to the systemd config to make it start the servers in the correct sequence that you need it to. It is more of an issue with systemd and archlinux setup, so I think you should really ask there, or if you do not know where, perhaps try our users mailing list to see if other users know about the systemd setup. |
The service file, from unbound itself (see contrib/unbound.service.in), already does this:
And an excerpt of the service part:
From systemd manual:
So from what I can see unbound seems to send the notification (that it started and is ready to service requests) too early. |
Unbound sends the notification that the server is up. But the rest of the system is not, this is why you get a response, from unbound, with SERVFAIL, a failure. This means unbound is up and responding. The servfail means that unbound cannot get content for the response. Unbound indicates that it has started, but there is no information if content is going to be available. I mean, when unbound starts and it indicates that it has come up, it cannot figure out if content for queries is going to be returned when it later is going to make lookups. For that you need, like, the network to be up and responding. And I see network-online in there. But there are not (yet?) good responses. If you make unbound wait for the things that make stuff respond to unbound, then it would work when you start it, I guess? |
Maybe this line here is called too early: Line 692 in f6a527c
? As you can see from my logs above, after unbound sends the notification that it's started (which means we reach nss-lookup.target), DNS resolution fails with SERVFAIL. |
No, the notification is for server start. I see you want no-servfail resolution, but that is not what unbound indicates with it's 'the server has started' notification. For no-servfail resolution, you need unbound started, but also you need, aparrantly, something else. Something that causes when unbound makes queries, those queries get responses. If you made unbound's service file wait for that, it would likely work. |
I was too quick with my previous reply. You are probably right, still need to test this though. |
Works with this service file:
|
successfully answer queries. Changed contrib/unbound.service.in.
* nlnet/master: (37 commits) - Fix NLnetLabs#296: systemd nss-lookup.target is reached before unbound can successfully answer queries. Changed contrib/unbound.service.in. - Refactor to use sock_strerr shorthand function. - Merge PR NLnetLabs#293: Add missing prototype. Also refactor to use the new shorthand function to clean up the code. Add missing prototype. - Review fix, doxygen and assign null in case of error free. Please doxygen, quote the characters to stop it from parsing a doxygen command. - Similar to NSD PR#113, implement that interface names can be used, eg. something like interface: eth0 is resolved at server start and uses the IP addresses for that named interface. - Update documentation in python example code. - Change configure to use EVP_sha256 instead of HMAC_Update for openssl-3.0.0. - Fix to apply chroot to dnstap-socket-path, if chroot is enabled. - Fix that dnstap reconnects do not spam the log with the repeated attempts. Attempts on the timer are only logged on high verbosity, if they produce a connection failure error. - Fix stats double count issue (NLnetLabs#289). - Create and init edns tags data for libunbound. Changelog note. - Rerun autoconf Rerun autoconf and autoheader on configure.ac, with libtool Add changlog entry for PR NLnetLabs#277. - Check for existence 'EVP_MAC_CTX_set_params' function (openssl >= 3.0.0-alpha5) - Fix NLnetLabs#287: doc typo: "Additionaly". Changelog note for NLnetLabs#246 and NLnetLabs#284 - Merge PR NLnetLabs#284 and Fix NLnetLabs#246: Remove DLV entirely from Unbound. The DLV has been decommisioned and in unbound 1.5.4, in 2015, there was advise to stop using it. The current code base does not contain DLV code any more. The use of dlv options displays a warning. dlv removal, remove DLV reference from unused use in test case. ...
Running unbound 1.11.0 (pkg) on arch linux.
Other services rely on nss-lookup.target being reached when name resolution is actually working.
To demonstrate the issue I've created the following "check-name-resolution.service":
After a reboot (!) the journal shows this:
The text was updated successfully, but these errors were encountered: