Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unbound cannot be started after configuring dnscrypt #602

Closed
liang-hiwin opened this issue Jan 8, 2022 · 10 comments
Closed

Unbound cannot be started after configuring dnscrypt #602

liang-hiwin opened this issue Jan 8, 2022 · 10 comments

Comments

@liang-hiwin
Copy link 

unbound -V

Version 1.14.0

Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1d  10 Sep 2019
Linked modules: dns64 cachedb subnetcache ipset respip validator iterator
DNSCrypt feature available
TCP Fastopen feature available

The configuration is as follows:

interface: 0.0.0.0@8443
interface: ::0@8443

dnscrypt:
dnscrypt-enable: yes
dnscrypt-port: 8443
dnscrypt-provider: 2.dnscrypt-cert.exp.domain.com.
dnscrypt-secret-key: /etc/dnscrypt/ssl.key
dnscrypt-provider-cert: /etc/dnscrypt/ssl.cert
@wcawijngaards
Copy link
Member

What is the error from unbound, that it prints why it cannot start? It can be found in the logs.

@liang-hiwin
Copy link
Author

What is the error from unbound, that it prints why it cannot start? It can be found in the logs.

How to output error log?

@wcawijngaards
Copy link
Member

The error logs should be located in the syslog for the machine. By default this is where unbound logs contents. You can configure unbound to log somewhere else with the log-file directive with a filename of your choice. And set the amount of logging with the verbosity directive.

https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-logfile-filename
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-use-syslog-yes-or-no
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-verbosity-number
These links to the man page may help to configure logging, if needed. Or find the error in the syslog for the machine, by default.

If you have trouble finding out why unbound does not start, there is a commandline option to help with that. To use it, start unbound from the commandline, from the terminal, and briefly attempt to start it from there. If it starts running, you would have to kill the process. By giving unbound the -d option it stays attached to the terminal console, so it does not fork away in to the background. And with the -dd option logging is directed to the terminal as well. So that you can see the log output on the console of the terminal. Usually you may also want to set which config file to use, if it is not in the default location, and then start with something like unbound -c myconfig -dd, perhaps add -vvvv or so to increase logging verbosity if you want.

This is in the man page here.
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.html#cmdoption-d

@liang-hiwin
Copy link
Author

liang-hiwin commented Jan 14, 2022
edited
Loading

The error logs should be located in the syslog for the machine. By default this is where unbound logs contents. You can configure unbound to log somewhere else with the log-file directive with a filename of your choice. And set the amount of logging with the verbosity directive.

https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-logfile-filename https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-use-syslog-yes-or-no https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-verbosity-number These links to the man page may help to configure logging, if needed. Or find the error in the syslog for the machine, by default.

If you have trouble finding out why unbound does not start, there is a commandline option to help with that. To use it, start unbound from the commandline, from the terminal, and briefly attempt to start it from there. If it starts running, you would have to kill the process. By giving unbound the -d option it stays attached to the terminal console, so it does not fork away in to the background. And with the -dd option logging is directed to the terminal as well. So that you can see the log output on the console of the terminal. Usually you may also want to set which config file to use, if it is not in the default location, and then start with something like unbound -c myconfig -dd, perhaps add -vvvv or so to increase logging verbosity if you want.

This is in the man page here. https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.html#cmdoption-d

/usr/local/etc/unbound/unbound.conf:92: error: syntax error
read /usr/local/etc/unbound/unbound.conf failed: 1 errors in configuration file

90    interface: 0.0.0.0@8443
91    interface: ::0@8443
92    dnscrypt-enable: yes
93    dnscrypt-port: 8443
94    dnscrypt-provider: 2.dnscrypt-cert.exp.com.
95    dnscrypt-secret-key: /etc/dnscrypt/1.key
96    dnscrypt-provider-cert: /etc/dnscrypt/1.cert

a

b

@liang-hiwin
Copy link
Author

c

@wcawijngaards
Copy link
Member

wcawijngaards commented Jan 14, 2022
edited
Loading

The issue is a missing line between line 91 and 92, dnscrypt: that is the start of the dnscrypt options section.
Then, once you are done with the dnscrypt options, you would need to start the server: section again if you have more server options below it.

@liang-hiwin
Copy link
Author

The issue is a missing line between line 91 and 92, dnscrypt: that is the start of the dnscrypt options section. Then, once you are done with the dnscrypt options, you would need to start the server: section again if you have more server options below it.

fatal error: module conf 'subnetcache validator cachedb iterator' is not known to work

@wcawijngaards
Copy link
Member

From what I can see, there is no listed combination with subnetcache and cachedb that is known to work. What you suggest seems reasonable, if that works, I can add it to the list of known combinations.

wcawijngaards added a commit that referenced this issue Jan 14, 2022
@wcawijngaards
- For #602: Allow the module-config "subnetcache validator cachedb
c7ae3ef 
  iterator".
@wcawijngaards
Copy link
Member

wcawijngaards commented Jan 14, 2022
edited
Loading

I have added the combination to the list of allowed entries, in the commit above.

@liang-hiwin
Copy link
Author

I have added the combination to the list of allowed entries, in the commit above.

thank you 😁

jedisct1 added a commit to jedisct1/unbound that referenced this issue Jan 25, 2022
@jedisct1
Merge remote-tracking branch 'nlnet/master'
b28dbe0 
* nlnet/master:
  Changelog note for NLnetLabs#612: - Merge PR NLnetLabs#612: TCP race condition.
  - Fix NLnetLabs#588: Unbound 1.13.2 crashes due to p->pc is NULL in   serviced_udp_callback.
  - Better bookkeeping when reclaiming the TCP buffer.
  - Mark waiting_tcp and serviced_query as being in the   cb_and_decommission stage to signal later code about their state;   prevents premature item deletion.
  Changelog note for NLnetLabs#610 - Fix NLnetLabs#610: Undefine-shift in sldns_str2wire_hip_buf.
  - Fix NLnetLabs#610: Undefine-shift in sldns_str2wire_hip_buf.
  - Add serviced_query timer to send upstream queries outside of the mesh   flow to prevent race conditions.
  - For dnstap, do not wakeupnow right there. Instead zero the timer to   force the wakeup callback asap.
  - For NLnetLabs#602: Allow the module-config "subnetcache validator cachedb   iterator".
  - Add rpz: for-downstream: yesno option, where the RPZ zone is   authoritatively answered for, so the RPZ zone contents can be   checked with DNS queries directed at the RPZ zone.
  Changelog note for NLnetLabs#605: - Merge PR NLnetLabs#605: Fix EDNS to upstream where the same option could be   attached more than once.
  - Make sure callback changes for EDNS are not lost.
  - Fix EDNS to upstream where the same option could be attached more than   once. - Add a region to serviced_query for allocations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wcawijngaards @liang-hiwin