Error install unbound

root@armbian:~# sudo service unbound start
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xeu unbound.service" for details.
:confused:
Details about my system:
image

validation
image

Please give a solution. Thanks.

Please give detailed description of the exact problem.

Test validation always SERVFAIL.
which should be NOERROR according to the instructions at unbound - Pi-hole documentation

Some information, such as sharing your .conf and unbound logs (you may have to increase the verbosity) would be helpful. You have given us nothing to go on.

1 Like

root@armbian:~# sudo unbound-anchor
could not write builtin anchor, to file /usr/share/dns/root.key: No such file or directory
[1711731247] libunbound[6995:0] error: unable to open /usr/share/dns/root.key for reading: No such file or directory
[1711731247] libunbound[6995:0] error: error reading auto-trust-anchor-file: /usr/share/dns/root.key
[1711731247] libunbound[6995:0] error: validator: error in trustanchors config
[1711731247] libunbound[6995:0] error: validator: could not apply configuration settings.
[1711731247] libunbound[6995:0] error: module init for module validator failed

root.key is missing, is this what makes unbound not run?
how to get the root.key?
unbound v 1.17.1

root.key should have been installed with unbound. I'm not sure how you installed unbound but you may wish to just uninstall it and reinstall following this guide.

https://docs.pi-hole.net/guides/dns/unbound/?h=unbound

I have tried exactly the same as the document, the problem is still the same.

unbound doesn't work, root.key also doesn't exist. I'm confused about explaining the details, but the problem I'm experiencing is that unbound doesn't work because the root.key file doesn't exist.

The guide talks about two ways to install Unbound.

  • Using a package manager, like apt. In that case the root hints file is installed, and will be maintained, automatically. This is the simpler approach.
  • Not using a package manager. In that case you need to install, enable and periodically update the root hints file manually yourself.

Last login: Sat Mar 30 13:23:04 2024 from 192.168.2.36
root@armbian:~# sudo apt-get install unbound -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libevent-2.1-7 libprotobuf-c1
Suggested packages:
apparmor
Recommended packages:
dns-root-data
The following NEW packages will be installed:
libevent-2.1-7 libprotobuf-c1 unbound
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,079 kB of archives.
After this operation, 5,518 kB of additional disk space will be used.
Get:1 http://security.debian.org bookworm-security/main arm64 unbound arm64 1.17.1-2+deb12u2 [884 kB]
Get:2 Index of /debian bookworm/main arm64 libevent-2.1-7 arm64 2.1.12-stable-8 [168 kB]
Get:3 Index of /debian bookworm/main arm64 libprotobuf-c1 arm64 1.4.1-1+b1 [26.6 kB]
Fetched 1,079 kB in 4s (279 kB/s)
Selecting previously unselected package libevent-2.1-7:arm64.
(Reading database ... 38972 files and directories currently installed.)
Preparing to unpack .../libevent-2.1-7_2.1.12-stable-8_arm64.deb ...
Unpacking libevent-2.1-7:arm64 (2.1.12-stable-8) ...
Selecting previously unselected package libprotobuf-c1:arm64.
Preparing to unpack .../libprotobuf-c1_1.4.1-1+b1_arm64.deb ...
Unpacking libprotobuf-c1:arm64 (1.4.1-1+b1) ...
Selecting previously unselected package unbound.
Preparing to unpack .../unbound_1.17.1-2+deb12u2_arm64.deb ...
Unpacking unbound (1.17.1-2+deb12u2) ...
Setting up libprotobuf-c1:arm64 (1.4.1-1+b1) ...
Setting up libevent-2.1-7:arm64 (2.1.12-stable-8) ...
Setting up unbound (1.17.1-2+deb12u2) ...
Created symlink /etc/systemd/system/multi-user.target.wants/unbound.service → /lib/systemd/system/unbound.service.
Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145.
Created symlink /etc/systemd/system/unbound.service.wants/unbound-resolvconf.service → /lib/systemd/system/unbound-resolvconf.service.
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u4) ...

root@armbian:~# wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . "
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: March 25, 2024
; related version of root zone: 2024032501
;
; FORMERLY NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2
B.ROOT-SERVERS.NET. 3600000 AAAA 2801:1b8:10::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

root@armbian:~# sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

root@armbian:~# sudo service unbound start
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xeu unbound.service" for details.

root@armbian:~# unbound-checkconf
/var/lib/unbound/root.key: No such file or directory
[1711781434] unbound-checkconf[5117:0] fatal error: auto-trust-anchor-file: "/var/lib/unbound/root.key" does not exist
root@armbian:~#

I found a github post that talked about this issue being related to the debian package. This article is from Dec 2022 so its a little dated but may provide some insights.

Unbound runs in a chroot jail, /var/lib/unbound/ inside the jail is not the same as the directory outside of the jail.

Install that package.