Hi, can you confirm if unbound is running? What is the output of /etc/init.d/unbound restart? -Michael On Fri, 2017-03-03 at 14:54 -0600, Paul Simmons wrote: > On Wed, 2017-03-01 at 12:00 -0600, Paul Simmons wrote: > > On Wed, 2017-03-01 at 16:17 +0000, Michael Tremer wrote: > > > Hello, > > > > > > so I wanted to highlight this patch a little which has been > > > merged > > > into > > > next. > > > > > > It will change fallback behaviour of DNS again which before > > > switched > > > to > > > recursor mode if no usable forwarder could be found. Now IPFire > > > will > > > test if any of the root servers is available and if so, fall back > > > to > > > recursor mode. If not, it will change DNSSEC into permissive mode > > > and > > > will use all given forwarders. > > > > > > The idea behind this is to always be able to provide at least > > > *some* > > > DNS, although DNSSEC will be practically deactivated. > > > > > > It is still missing that we show a big warning where necessary, > > > but > > > at > > > least for some people who were forced by their providers to use > > > their > > > own name servers which do not support DNSSEC at all. > > > > > > So, for the people who have been affected by this issue I can > > > only > > > recommend to test this and give us feedback within about one > > > week. > > > I > > > would like to close the merge window for the next core update > > > around > > > then. > > > > > > Best, > > > -Michael > > > > > > On Wed, 2017-03-01 at 16:11 +0000, Michael Tremer wrote: > > > > The tests when assigning DNS name servers has been extended so > > > > that > > > > if no working forwarder can be found, we will test if the local > > > > recursor > > > > mode is an option. > > > > > > > > If not, we will configure unbound's validator module into > > > > permissive > > > > mode so that at least some DNS functionality is available. > > > > > > > > Signed-off-by: Michael Tremer > > > > --- > > > >  config/rootfiles/core/110/filelists/files          |  1 + > > > >  lfs/unbound                                        |  1 + > > > >  src/initscripts/init.d/unbound                     | 67 > > > > ++++++++++++++++++++-- > > > >  ...ting-validator-permissive-mode-at-runtime.patch | 43 > > > > ++++++++++++++ > > > >  4 files changed, 107 insertions(+), 5 deletions(-) > > > >  create mode 100644 src/patches/unbound-allow-setting- > > > > validator- > > > > permissive-mode-at-runtime.patch > > > > > > > > diff --git a/config/rootfiles/core/110/filelists/files > > > > b/config/rootfiles/core/110/filelists/files > > > > index 670b9ae..f4ce989 100644 > > > > --- a/config/rootfiles/core/110/filelists/files > > > > +++ b/config/rootfiles/core/110/filelists/files > > > > @@ -1,5 +1,6 @@ > > > >  etc/system-release > > > >  etc/issue > > > > +etc/rc.d/init.d/unbound > > > >  srv/web/ipfire/cgi-bin/index.cgi > > > >  srv/web/ipfire/cgi-bin/vpnmain.cgi > > > >  usr/lib/libssp.so.0 > > > > diff --git a/lfs/unbound b/lfs/unbound > > > > index 2b7745c..f361f24 100644 > > > > --- a/lfs/unbound > > > > +++ b/lfs/unbound > > > > @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : > > > >  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > > >   @$(PREBUILD) > > > >   @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf > > > > $(DIR_DL)/$(DL_FILE) > > > > + cd $(DIR_APP) && patch -Np1 < > > > > $(DIR_SRC)/src/patches/unbound-allow-setting-validator- > > > > permissive- > > > > mode-at-runtime.patch > > > >   cd $(DIR_APP) && \ > > > >   ./configure \ > > > >   --prefix=/usr \ > > > > diff --git a/src/initscripts/init.d/unbound > > > > b/src/initscripts/init.d/unbound > > > > index 8802781..bbf9c00 100644 > > > > --- a/src/initscripts/init.d/unbound > > > > +++ b/src/initscripts/init.d/unbound > > > > @@ -114,17 +114,38 @@ update_forwarders() { > > > >   echo_warning > > > >   fi > > > >   > > > > - if [ -n "${broken_forwarders}" -a -z > > > > "${forwarders}" > > > > ]; then > > > > - boot_mesg "Falling back to recursor > > > > mode" > > > > ${WARNING} > > > > - echo_warning > > > > - > > > > - elif [ -n "${forwarders}" ]; then > > > > + if [ -n "${forwarders}" ]; then > > > >   boot_mesg "Configuring upstream name > > > > server(s): ${forwarders:1}" ${INFO} > > > >   echo_ok > > > >   > > > > + # Make sure DNSSEC is activated > > > > + enable_dnssec > > > > + > > > >   echo "${forwarders}" > > > > > /var/ipfire/red/dns > > > >   unbound-control -q forward > > > > ${forwarders} > > > >   return 0 > > > > + > > > > + # In case we have found no working forwarders > > > > + else > > > > + # Test if the recursor mode is > > > > available > > > > + if can_resolve_root > > > > +bufsize=${new_edns_buffer_size}; then > > > > + # Make sure DNSSEC is > > > > activated > > > > + enable_dnssec > > > > + > > > > + boot_mesg "Falling back to > > > > recursor > > > > mode" ${WARNING} > > > > + echo_warning > > > > + > > > > + # If not, we set DNSSEC in permissive > > > > mode > > > > and allow using all recursors > > > > + elif [ -n "${broken_forwarders}" ]; > > > > then > > > > + disable_dnssec > > > > + > > > > + boot_mesg "DNSSEC has been set > > > > to > > > > permissive mode" ${FAILURE} > > > > + echo_failure > > > > + > > > > + echo "${broken_forwarders}" > > > > > /var/ipfire/red/dns > > > > + unbound-control -q forward > > > > ${broken_forwarders} > > > > + return 0 > > > > + fi > > > >   fi > > > >   fi > > > >   > > > > @@ -370,6 +391,42 @@ ns_determine_edns_buffer_size() { > > > >   return 1 > > > >  } > > > >   > > > > +get_root_nameservers() { > > > > + while read -r hostname ttl record address; do > > > > + # Searching for A records > > > > + [ "${record}" = "A" ] || continue > > > > + > > > > + echo "${address}" > > > > + done < /etc/unbound/root.hints > > > > +} > > > > + > > > > +can_resolve_root() { > > > > + local ns > > > > + for ns in $(get_root_nameservers); do > > > > + if dig @${ns} +dnssec SOA . $@ >/dev/null; > > > > then > > > > + return 0 > > > > + fi > > > > + done > > > > + > > > > + # none of the servers was reachable > > > > + return 1 > > > > +} > > > > + > > > > +enable_dnssec() { > > > > + local status=$(unbound-control get_option val- > > > > permissive- > > > > mode) > > > > + > > > > + # Don't do anything if DNSSEC is already activated > > > > + [ "${status}" = "no" ] && return 0 > > > > + > > > > + # Activate DNSSEC and flush cache with any stale and > > > > unvalidated data > > > > + unbound-control -q set_option val-permissive-mode: no > > > > + unbound-control -q flush_zone . > > > > +} > > > > + > > > > +disable_dnssec() { > > > > + unbound-control -q set_option val-permissive-mode: yes > > > > +} > > > > + > > > >  case "$1" in > > > >   start) > > > >   # Print a nicer messagen when unbound is > > > > already > > > > running > > > > diff --git a/src/patches/unbound-allow-setting-validator- > > > > permissive- > > > > mode-at-runtime.patch b/src/patches/unbound-allow-setting- > > > > validator- > > > > permissive-mode-at-runtime.patch > > > > new file mode 100644 > > > > index 0000000..f476d08 > > > > --- /dev/null > > > > +++ b/src/patches/unbound-allow-setting-validator-permissive- > > > > mode- > > > > at- > > > > runtime.patch > > > > @@ -0,0 +1,43 @@ > > > > +diff --git a/validator/validator.c b/validator/validator.c > > > > +index 676dcdf..7c19f3d 100644 > > > > +--- a/validator/validator.c > > > > ++++ b/validator/validator.c > > > > +@@ -113,7 +113,7 @@ val_apply_cfg(struct module_env* env, > > > > struct > > > > val_env* val_env, > > > > +  int c; > > > > +  val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl; > > > > +  val_env->clean_additional = cfg- > > > > >val_clean_additional; > > > > +- val_env->permissive_mode = cfg->val_permissive_mode; > > > > ++ val_env->permissive_mode = &cfg->val_permissive_mode; > > > > +  if(!env->anchors) > > > > +  env->anchors = anchors_create(); > > > > +  if(!env->anchors) { > > > > +@@ -170,7 +170,6 @@ val_init(struct module_env* env, int id) > > > > +  } > > > > +  env->modinfo[id] = (void*)val_env; > > > > +  env->need_to_validate = 1; > > > > +- val_env->permissive_mode = 0; > > > > +  lock_basic_init(&val_env->bogus_lock); > > > > +  lock_protect(&val_env->bogus_lock, &val_env- > > > > > num_rrset_bogus, > > > > > > > > +  sizeof(val_env->num_rrset_bogus)); > > > > +@@ -2084,7 +2083,7 @@ processFinished(struct module_qstate* > > > > qstate, > > > > struct val_qstate* vq, > > > > +  } > > > > +  } > > > > +  /* If we are in permissive mode, bogus gets > > > > indeterminate */ > > > > +- if(ve->permissive_mode) > > > > ++ if(*ve->permissive_mode) > > > > +  vq->orig_msg->rep->security = > > > > sec_status_indeterminate; > > > > +  } > > > > +  > > > > +diff --git a/validator/validator.h b/validator/validator.h > > > > +index 23d3072..f8464b8 100644 > > > > +--- a/validator/validator.h > > > > ++++ b/validator/validator.h > > > > +@@ -104,7 +104,7 @@ struct val_env { > > > > +   * This allows an operator to run validation 'shadow' > > > > without > > > > +   * hurting responses to clients. > > > > +   */ > > > > +- int permissive_mode; > > > > ++ int* permissive_mode; > > > > +  > > > > +  /** > > > > +   * Number of entries in the NSEC3 maximum iteration > > > > count > > > > table. > > > > I have nightly commit c016773b9816ad9be4ffc8643c30457e87c094e3 > > available locally, and will beg my users for downtime to test. > > > > Thank you, and best regards, > > Paul > > > > > > Bad juju - build c016773b couldn't resolve any hosts (other than > those in "localdomain"). > > Provider is "hughes.net" and is the only ISP available (no hardlines > or other LOS/NLOS WISPs available). > > Tried assigning DNS servers 74.113.60.185 and 156.154.70.1 - no > change. > > Paul > > >