1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1106186: unbound-resolvconf fails on start when systemd-resolved is

    From Wesley Hershberger@21:1/5 to All on Tue May 20 22:10:01 2025
    Package: unbound
    Version: 1.22.0-1+b1
    X-Debbugs-CC: roman.kolodziejczyk@canonical.com

    When systemd-resolved is installed (in Trixie cloud images and Ubuntu
    server), installing unbound & rebooting results in a failing service:

    $ systemctl status unbound-resolvconf
    × unbound-resolvconf.service - Unbound asyncronous resolvconf update helper
    Loaded: loaded (/usr/lib/systemd/system/unbound-resolvconf.service; enabl ed; preset: enabled)
    Active: failed (Result: exit-code) since Tue 2025-05-20 07:51:11
    CDT; 2s ago
    Duration: 46ms
    Invocation: c65cf6c1d33f4d5f8ea3ea837d043beb
    Process: 1135 ExecStart=/usr/libexec/unbound-helper
    resolvconf_start (code=exited, status=1/FAILURE)
    Main PID: 1135 (code=exited, status=1/FAILURE)
    Mem peak: 3.4M
    CPU: 28ms

    May 20 07:51:11 trixie2 systemd[1]: Started unbound-resolvconf.service
    - Unbound asyncronous resolvconf update helper.
    May 20 07:51:11 trixie2 resolvconf[1139]: Dropped protocol specifier
    '.unbound' from 'lo.unbound'. Using 'lo' (ifindex=1).
    May 20 07:51:11 trixie2 resolvconf[1139]: Failed to set DNS
    configuration: Link lo is loopback device.
    May 20 07:51:11 trixie2 systemd[1]: unbound-resolvconf.service: Main
    process exited, code=exited, status=1/FAILURE
    May 20 07:51:11 trixie2 systemd[1]: unbound-resolvconf.service: Failed
    with result 'exit-code'.

    I'm using LXD as a hypervisor with a trixie image provided by the LXD
    community image server (lxc launch images:debian/trixie/cloud --vm
    trixie0). This also affects Ubuntu (since Noble).

    The reasons this service exists are documented in #807132 (see
    comments 67 and 72). This wasn't an issue prior to systemd 251.4-1; in
    251.4-3 /sbin/resolvconf became a link to /bin/resolvectl (see
    #1019140). bind9 has a similar service that was introduced at the same
    time as Unbound's, but that service is disabled by default, so
    installation doesn't cause a failed service [1].

    The systemd error traces back to [2]. The git history is extremely
    light on context. However, we can glean something from the resolved
    manpage to explain resolvectl's requirement that DNS server addresses
    be associated with network interfaces [3]. There's a more complete
    discussion of this at [4]. TL;DR there isn't an equivalent to adding a
    global DNS server via `resolvectl` as is done with resolvconf [5][6].

    Upstream recommends setting DNS=127.0.0.1 in resolved.conf [7]. We
    could ship a drop-in:

    # /usr/lib/systemd/resolved.conf.d/10-unbound.conf
    [Resolve]
    DNS=127.0.0.1

    That would make this "just work" with resolved. This would break if
    the user configured Unbound not to listen on localhost without
    overriding the drop-in (that case is handled automatically by unbound-resolvconf.service [8]).

    It also seems that using resolvconf instead of resolved is still valid
    in Debian (please correct me if I'm wrong), so we shouldn't remove unbound-resolvconf.service entirely. I've included a diff in this bug
    report that installs but disables the service by default (same as
    bind9). I've tested that the fix prevents a failed service after
    reboot.

    However, if we disable unbound-resolvconf.service by default, then I'm
    not sure I see the point of adding a drop-in (for consistency).
    Alternatively, the service could be configured to detect if resolvconf
    is provided by resolved, and exit cleanly if so (or add a drop-in in
    /run; sounds problematic for reloading resolved config). I'd
    appreciate hearing someone else's perspective on this. Happy to put up
    an MR in Salsa if that would be more helpful.

    Thanks!
    ~Wesley Hershberger
    Canonical Support

    [1] https://salsa.debian.org/dns-team/bind9/-/blob/debian/9.20/debian/rules?ref_type=heads#L111
    [2] https://github.com/systemd/systemd/blob/main/src/network/networkd-link-bus.c#L71
    [3] https://manpages.debian.org/bookworm/systemd-resolved/systemd-resolved.8.en.html#PROTOCOLS_AND_ROUTING
    [4] https://github.com/systemd/systemd/issues/33973#issuecomment-2711105548
    [5] https://manpages.debian.org/testing/resolvconf/resolvconf.8.en.html#OPTIONS [6] https://manpages.debian.org/testing/manpages/resolv.conf.5.en.html
    [7] https://unbound.docs.nlnetlabs.nl/en/latest/use-cases/local-stub.html#ubuntu
    [8] https://salsa.debian.org/dns-team/unbound/-/blob/master/debian/unbound-helper?ref_type=heads#L29

    diff --git a/debian/rules b/debian/rules
    index bb1efdc3e..810283f09 100755
    --- a/debian/rules
    +++ b/debian/rules
    @@ -107,8 +107,8 @@ ifeq (,${libonly})
    install -Dp -m 0644 debian/apparmor-profile debian/unbound/etc/apparmor.d/usr.sbin.unbound
    dh_apparmor --profile-name=usr.sbin.unbound -punbound

    - dh_installsystemd -punbound
    - dh_installsystemd -punbound --name=unbound-resolvconf --no-start --no-stop-on-upgrade
    + dh_installsystemd -punbound unbound.service
    + dh_installsystemd -punbound --no-enable --name=unbound-resolvconf --no-stop-on-upgrade unbound-resolvconf.service
    dh_installinit --error-handler=true --restart-after-upgrade

    install -d debian/unbound/etc/insserv.conf.d

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)