From owner-freebsd-net@freebsd.org Sat Oct 13 10:58:47 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C452710C38B5 for ; Sat, 13 Oct 2018 10:58:47 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:d12:604::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3A042750EB for ; Sat, 13 Oct 2018 10:58:46 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id w9DAwXRU006291 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 13 Oct 2018 12:58:34 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: des@des.no Received: from [10.58.0.4] (dadv@[10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id w9DAwXjZ090384 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 13 Oct 2018 17:58:33 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: DNS KSK rollover, local_unbound and 11.2-STABLE To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= References: <5BC046FB.9080906@grosbein.net> <861s8uaodn.fsf@next.des.no> <20be8009-5de8-61f0-dc67-a6b18af7bc37@grosbein.net> <86bm7y2lui.fsf@next.des.no> Cc: freebsd-net From: Eugene Grosbein Message-ID: <44dd8f4d-1608-b38f-2f3e-90d234065038@grosbein.net> Date: Sat, 13 Oct 2018 17:58:32 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <86bm7y2lui.fsf@next.des.no> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,SPF_PASS autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.0 SPF_PASS SPF: sender matches SPF record * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2018 10:58:48 -0000 13.10.2018 17:16, Dag-Erling Smørgrav wrote: > Eugene Grosbein writes: >> The commands "unbound-anchor -vv; cat /var/unbound/root.key" show: >> [...] >> ; created by unbound-anchor on Sat Oct 13 14:28:12 2018 >> . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 >> . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D >> >> Several seconds later, "cat /var/unbound/root.key" shows: >> [...] >> It seems, distinct processes update the file and one of them fails. > > You're supposed to run unbound-anchor *before* starting unbound (and the > rc script will automatically do that if /var/unbound/root.key does not > exist). What you're seeing now is unbound periodically overwriting > root.key with what it has in memory. This nanobsd does not have root.key in its persistent configuration and runs mpd5 from ports as PPPoE client for global connectivity. According to rcorder, /etc/rc.d/local_unbound runs BEFORE: NETWORKING and much earlier then /usr/local/etc/rc.d/mpd5 is started that REQUIRES: SERVERS So, local_unbound startup script has no chance to update root.key with unbound-anchor and the unbound daemon starts with no root.key at all. /etc/unbound is symlink to /var/unbound here.