pi@pi-hole:~ $ sudo unbound -d -vvvvv
[1570194362] unbound[28022:0] notice: Start of unbound 1.6.0.
[1570194362] unbound[28022:0] debug: increased limit(open files) from 1024 to 4140
[1570194362] unbound[28022:0] debug: creating udp4 socket 127.0.0.1 5353
[1570194362] unbound[28022:0] debug: creating tcp4 socket 127.0.0.1 5353
[1570194362] unbound[28022:0] debug: creating tcp4 socket 127.0.0.1 8953
[1570194362] unbound[28022:0] debug: setup SSL certificates
[1570194362] unbound[28022:0] debug: chdir to /etc/unbound
[1570194362] unbound[28022:0] debug: drop user privileges, run as unbound
[1570194362] unbound[28022:0] debug: switching log to /var/log/unbound.log
I think this may be linked with qname minimisation.
I noted I had a file qname-minimisation.conf in /etc/unbound/unbound.conf.d
This file contains:
qname-minimisation: yes
If I remove this file and add the qname option to the main /unbound.conf.d/pihole.conf file I see similar behaviour.
If I change the option to qname-minimisation: no I see similar behaviour.
If I remove qname-minimisation completely from the config, I dont appear to have any problems
im running stretch lite. apt-cache policy tells me 1.6.0 is the latest available version for this distro
Im not sure i know how to compile etc to bump up the unbound version?
This would be my understanding also, but at this point ill try anything to have it working as i want.
Ive added deb http://ftp.uk.debian.org/debian sid main to my /etc/apt/sources.list
guess i cross my fingers now?
edit: no key for Index of /debian/
Is there any know issues with qname minimisation? Ive not found anything via Google?
I can live without it, but the point is i shouldnt have to. As others have the same version of unbound running, and working, there must be something up on my install? And im a tinkerer, and would like to know what and how to fix!
Currently I have pi-hole, unbound and OpenVPN running on this particular rasperry pi.
Ive looked at doing an in place upgrade to Buster, just nervous about losing data and current setup etc. and not had time to make a backup of the sd card
SERVFAIL typically indicates that the DNSSEC process could not be completed. If the time/date on the Pi are correct, that may indicate a problem with your certificate.
If it were me, I would do a complete unbound removal, then reinstall.
Quick question....
When I create the pi-hole unbound conf file in /etc/unbound/unbound.conf.d what user should the file be created as? sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
Or nano /etc/unbound/unbound.conf.d/pi-hole.conf
So, I've fully uninstalled unbound.
Manually deleted any remaining config files
Reinstalled unbound following the guide to the letter.
And yeah, you guessed...still have SERVFAIL errors. https://dnssec.vs.uni-due.de/ reports that dnssec is not working
(This is the case on multiple browsers)
Yet if I use the dig commands noted in the guide the results are as expected.
Head and brick wall