Unbound on a fresh FreeBSD install
Posted on
I’ve recenty encountered a weird problem where unbound would not work on a fresh FreeBSD install on an APU3 board. Online research lead to finding a bunch of posts complaining about this, but no leads. As it turns out, my problem was the clock.
But first things first. Installing FreeBSD on an APU board is very easy, at the boot shell enter the following commands:
>set boot_serial=YES
>set comconsole_speed=115200
>set console=comconsole
#this delays the boot by 10s to allow the USB controller to come up
>kern.cam.boot_delay="10000"
Of course, remembering to drop into a shell at the end of the installation, and edit
/boot/loader.conf so that we can use it over the console afterwards:
boot_serial="YES"
comconsole_speed="115200"
console="comconsole"
kern.cam.boot_delay="10000"
amdtemp_load="YES" #this loads the driver for the temperature sensor embedded in the CPU. It is equivalent to the km driver in OpenBSD. Yay sensors!
Now, the APU board does not have an on-board clock. I did not set the time/date
during installation (lazy), as NTP was going to be set up anyway. So, at this
stage in /etc/ntp.conf, I replaced pool 0.freebsd.pool.ntp.org iburst with the
name of my local NTP server.
Reboot after successful installation, cue unbound not working. General DNS failure. As unbound is DNSSEC enabled, run:
unbound-anchor
This sets up the root trust anchor for DNSSEC validation, which was part of the solution to this issue.
But unbound was still not working. Do not underestimate actually checking the results of any commands run:
cat /var/unbound/root.key
The file contained no valid key, thus solving the mistery:
- DNS lookups do not work as there is no valid key here, due to our system clock being, well, off by a few years.
- And of course NTP does not sync the date… as we gave it a hostname, which needs to be looked up in DNS.
A quick ntpdate <ip-address> followed by running unbound-anchor again solves the issue.
So frustrating.