Package: unbound
Version: 1.22.0-1+b1
X-Debbugs-CC: roman.kolodziejc...@canonical.com
When systemd-resolved is installed (in Trixie cloud images and Ubuntu
server), installing unbound & rebooting results in a failing service:
$ systemctl status unbound-resolvconf
× unbound-resolvconf.service - Unbound asyncronous resolvconf update helper
Loaded: loaded (/usr/lib/systemd/system/unbound-resolvconf.service; enabl
ed; preset: enabled)
Active: failed (Result: exit-code) since Tue 2025-05-20 07:51:11
CDT; 2s ago
Duration: 46ms
Invocation: c65cf6c1d33f4d5f8ea3ea837d043beb
Process: 1135 ExecStart=/usr/libexec/unbound-helper
resolvconf_start (code=exited, status=1/FAILURE)
Main PID: 1135 (code=exited, status=1/FAILURE)
Mem peak: 3.4M
CPU: 28ms
May 20 07:51:11 trixie2 systemd[1]: Started unbound-resolvconf.service
- Unbound asyncronous resolvconf update helper.
May 20 07:51:11 trixie2 resolvconf[1139]: Dropped protocol specifier
'.unbound' from 'lo.unbound'. Using 'lo' (ifindex=1).
May 20 07:51:11 trixie2 resolvconf[1139]: Failed to set DNS
configuration: Link lo is loopback device.
May 20 07:51:11 trixie2 systemd[1]: unbound-resolvconf.service: Main
process exited, code=exited, status=1/FAILURE
May 20 07:51:11 trixie2 systemd[1]: unbound-resolvconf.service: Failed
with result 'exit-code'.
I'm using LXD as a hypervisor with a trixie image provided by the LXD
community image server (lxc launch images:debian/trixie/cloud --vm
trixie0). This also affects Ubuntu (since Noble).
The reasons this service exists are documented in #807132 (see
comments 67 and 72). This wasn't an issue prior to systemd 251.4-1; in
251.4-3 /sbin/resolvconf became a link to /bin/resolvectl (see
#1019140). bind9 has a similar service that was introduced at the same
time as Unbound's, but that service is disabled by default, so
installation doesn't cause a failed service [1].
The systemd error traces back to [2]. The git history is extremely
light on context. However, we can glean something from the resolved
manpage to explain resolvectl's requirement that DNS server addresses
be associated with network interfaces [3]. There's a more complete
discussion of this at [4]. TL;DR there isn't an equivalent to adding a
global DNS server via `resolvectl` as is done with resolvconf [5][6].
Upstream recommends setting DNS=127.0.0.1 in resolved.conf [7]. We
could ship a drop-in:
# /usr/lib/systemd/resolved.conf.d/10-unbound.conf
[Resolve]
DNS=127.0.0.1
That would make this "just work" with resolved. This would break if
the user configured Unbound not to listen on localhost without
overriding the drop-in (that case is handled automatically by
unbound-resolvconf.service [8]).
It also seems that using resolvconf instead of resolved is still valid
in Debian (please correct me if I'm wrong), so we shouldn't remove
unbound-resolvconf.service entirely. I've included a diff in this bug
report that installs but disables the service by default (same as
bind9). I've tested that the fix prevents a failed service after
reboot.
However, if we disable unbound-resolvconf.service by default, then I'm
not sure I see the point of adding a drop-in (for consistency).
Alternatively, the service could be configured to detect if resolvconf
is provided by resolved, and exit cleanly if so (or add a drop-in in
/run; sounds problematic for reloading resolved config). I'd
appreciate hearing someone else's perspective on this. Happy to put up
an MR in Salsa if that would be more helpful.
Thanks!
~Wesley Hershberger
Canonical Support
[1]
https://salsa.debian.org/dns-team/bind9/-/blob/debian/9.20/debian/rules?ref_type=heads#L111
[2]
https://github.com/systemd/systemd/blob/main/src/network/networkd-link-bus.c#L71
[3]
https://manpages.debian.org/bookworm/systemd-resolved/systemd-resolved.8.en.html#PROTOCOLS_AND_ROUTING
[4] https://github.com/systemd/systemd/issues/33973#issuecomment-2711105548
[5] https://manpages.debian.org/testing/resolvconf/resolvconf.8.en.html#OPTIONS
[6] https://manpages.debian.org/testing/manpages/resolv.conf.5.en.html
[7] https://unbound.docs.nlnetlabs.nl/en/latest/use-cases/local-stub.html#ubuntu
[8]
https://salsa.debian.org/dns-team/unbound/-/blob/master/debian/unbound-helper?ref_type=heads#L29
diff --git a/debian/rules b/debian/rules
index bb1efdc3e..810283f09 100755
--- a/debian/rules
+++ b/debian/rules
@@ -107,8 +107,8 @@ ifeq (,${libonly})
install -Dp -m 0644 debian/apparmor-profile
debian/unbound/etc/apparmor.d/usr.sbin.unbound
dh_apparmor --profile-name=usr.sbin.unbound -punbound
- dh_installsystemd -punbound
- dh_installsystemd -punbound --name=unbound-resolvconf --no-start
--no-stop-on-upgrade
+ dh_installsystemd -punbound unbound.service
+ dh_installsystemd -punbound --no-enable --name=unbound-resolvconf
--no-stop-on-upgrade unbound-resolvconf.service
dh_installinit --error-handler=true --restart-after-upgrade
install -d debian/unbound/etc/insserv.conf.d
