From owner-freebsd-net@freebsd.org  Thu Jun 18 20:50:33 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0DD173339DB
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Thu, 18 Jun 2020 20:50:33 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 49nvGJ2C8Zz43kF;
 Thu, 18 Jun 2020 20:50:31 +0000 (UTC)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1])
 by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 05IKoMN8092088;
 Thu, 18 Jun 2020 13:50:22 -0700 (PDT)
 (envelope-from freebsd-rwg@gndrsh.dnsmgr.net)
Received: (from freebsd-rwg@localhost)
 by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 05IKoM1t092087;
 Thu, 18 Jun 2020 13:50:22 -0700 (PDT) (envelope-from freebsd-rwg)
From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>
Message-Id: <202006182050.05IKoM1t092087@gndrsh.dnsmgr.net>
Subject: Re: unbound and (isc) dhcpd startup order
In-Reply-To: <d45915bb5d8b4a0a0f4a91dc3b701de8@udns.ultimatedns.net>
To: bsd-lists@BSDforge.com
Date: Thu, 18 Jun 2020 13:50:22 -0700 (PDT)
CC: freebsd-net <freebsd-net@freebsd.org>,
 "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>,
 Jaap Akkerhuis <jaap@nlnetlabs.nl>, Andriy Gapon <avg@freebsd.org>,
 Ryan Steinmetz <zi@freebsd.org>
X-Mailer: ELM [version 2.4ME+ PL121h (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Rspamd-Queue-Id: 49nvGJ2C8Zz43kF
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of freebsd-rwg@gndrsh.dnsmgr.net has no SPF
 policy when checking 69.59.192.140)
 smtp.mailfrom=freebsd-rwg@gndrsh.dnsmgr.net
X-Spamd-Result: default: False [2.53 / 15.00]; RCVD_TLS_LAST(0.00)[];
 ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 NEURAL_SPAM_SHORT(0.39)[0.392]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[dnsmgr.net]; AUTH_NA(1.00)[];
 NEURAL_SPAM_MEDIUM(0.53)[0.527]; RCPT_COUNT_FIVE(0.00)[6];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.71)[0.707];
 R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US];
 RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 20:50:33 -0000

> On Wed, 17 Jun 2020 10:33:59 -0700 (PDT) Rodney W. Grimes freebsd-rwg@gndrsh.dnsmgr.net said
> 
> > > 
> > > On (06/16/20 08:14), Rodney W. Grimes wrote:
> > >>Ok, well, I just thought of one and not sure if it is an issue or not,
> > >>doesng unbound have the ability to specify interfaces?  If so those
> > >>may not exist until NETWORKING has run?
> > > >
> > > 
> > > Unbound isn't really going to do anything useful without the network.  I 
> > > don't think it is unreasonable that it should depend on NETWORKING.
> > 
> > Well then the current setup for local_unbound is counter to that,
> > as it is BEFORE: NETWORKING
> > 
> > > I think we're in an edge case here and, perhaps, a better solution might 
> > > be to have someone(tm) add in support in rc.conf to specify dependency 
> > > overrides.
> > 
> > dns and configuration are a chicken/egg problem, not really an edge
> > case, and a person must make a decision as to how to deal with that.
> > 
> > > 
> > > So, perhaps you could set:
> > > 
> > > dhcpd_after="unbound"
> > > 
> > > Which would factor into the rcorder processing and make sure that dhcpd 
> > > starts after unbound.
> > > 
> > > This would allow people to fine-tune things when they run into cases 
> > > like this.
> > 
> > Even beside the unbound problem, this is a good idea.  It would
> > fix my "I need ipfw before routing as without ipfw my ospf packets
> > get blocked and things take much longer to come up problem."
> Honestly. I'm really inclined to agree with Rodney. rcorder should
> really be a more fine-grained utility.
> What about something like:
> BEFORE: NETWORKING: pf
> or
> BEFORE: NETWORKING: ipfw
> or
> BEFORE: NETWORKING: unbound
> etc, etc...
> I think there *may* be a better direction. *But* this, at least
> should be an easy direction to add with few repercussions. Yes?

I do not see your fine graining, the above can be expressed
already with just the pf, ipfw or unbound keyword can't they?

Though I do think we need to maybe find ways to alter
what the default values for BEFORE: and REQUIRE: are
in the /etc/rc.d files.  As my example I use the fact
I have to add ipfw to rc.d/routing as it is problematic
getting a routing protocol (ospf, bgp, ripv2) to come up
when the firewall is blocking all the packets.  It eventuly
sorts itself out, but its ugly on the console and on the wire.

> > 
> > 
> > > -r
> > > 
> > > The idea that a daemon that depends on the network being functional
> > > >>  > > >> On a related note, unbound rc script provides "unbound" service.
> > > >>  > > >> I think that maybe it should provide something more generic such
> > > as "nameserver"
> > > >>  > > >> or "dns-server" (not sure if there is an established name for
> > > that).
> > > >>  > > >> The reason I am saying this is that, IMO, if unbound is replaced
> > > with some other
> > > >>  > > >> name server implementation the rc dependency chains should stay
> > > the same.
> > > >>  > > >
> > > >>  > > > I do not see anything in the base system that uses unbound or
> > > local_unbound
> > > >>  > > > service name, so this looks like it could be straightforward,
> > > though there
> > > >>  > > > may be some ports that have use of this token.
> > > >>  > > >
> > > >>  > > > For the blue bikeshed I find that "server" is just noise in the
> > > token
> > > >>  > > > and that "dns" already has "s" for system, so just "dns" is good
> > > with me :-)
> > > >>  > >
> > > >>  > > That's a good point.
> > > >>
> > > >> I don't agree. The term dns is too generic. People are often running
> > > >> dfferent nameservers on the same machine, as example: authoritative
> > > >> and nonauthoritative (e.g. nsd & unbound).
> > > >
> > >>Given examples by others your right, we can not put all of these
> > >>behind the knob "dns".
> > > >
> > > >> Regards,
> > > >> 	jaap
> > >>-- 
> > >>Rod Grimes                                                
> > >rgrimes@freebsd.org
> > > 
> > > -- 
> > > Ryan Steinmetz
> > > PGP: 9079 51A3 34EF 0CD4 F228  EDC6 1EF8 BA6B D028 46D7
> > > 
> > 
> > -- 
> > Rod Grimes                                                
> > rgrimes@freebsd.org
> 
> --Chris
> 
> 
> 
> 

-- 
Rod Grimes                                                 rgrimes@freebsd.org