Your message dated Tue, 05 May 2026 12:49:01 +0000
with message-id <[email protected]>
and subject line Bug#1106186: fixed in unbound 1.25.0-1
has caused the Debian Bug report #1106186,
regarding unbound-resolvconf fails on start when systemd-resolved is present
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106186
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unbound
Version: 1.22.0-1+b1
X-Debbugs-CC: [email protected]
When systemd-resolved is installed (in Trixie cloud images and Ubuntu
server), installing unbound & rebooting results in a failing service:
$ systemctl status unbound-resolvconf
× unbound-resolvconf.service - Unbound asyncronous resolvconf update helper
Loaded: loaded (/usr/lib/systemd/system/unbound-resolvconf.service; enabl
ed; preset: enabled)
Active: failed (Result: exit-code) since Tue 2025-05-20 07:51:11
CDT; 2s ago
Duration: 46ms
Invocation: c65cf6c1d33f4d5f8ea3ea837d043beb
Process: 1135 ExecStart=/usr/libexec/unbound-helper
resolvconf_start (code=exited, status=1/FAILURE)
Main PID: 1135 (code=exited, status=1/FAILURE)
Mem peak: 3.4M
CPU: 28ms
May 20 07:51:11 trixie2 systemd[1]: Started unbound-resolvconf.service
- Unbound asyncronous resolvconf update helper.
May 20 07:51:11 trixie2 resolvconf[1139]: Dropped protocol specifier
'.unbound' from 'lo.unbound'. Using 'lo' (ifindex=1).
May 20 07:51:11 trixie2 resolvconf[1139]: Failed to set DNS
configuration: Link lo is loopback device.
May 20 07:51:11 trixie2 systemd[1]: unbound-resolvconf.service: Main
process exited, code=exited, status=1/FAILURE
May 20 07:51:11 trixie2 systemd[1]: unbound-resolvconf.service: Failed
with result 'exit-code'.
I'm using LXD as a hypervisor with a trixie image provided by the LXD
community image server (lxc launch images:debian/trixie/cloud --vm
trixie0). This also affects Ubuntu (since Noble).
The reasons this service exists are documented in #807132 (see
comments 67 and 72). This wasn't an issue prior to systemd 251.4-1; in
251.4-3 /sbin/resolvconf became a link to /bin/resolvectl (see
#1019140). bind9 has a similar service that was introduced at the same
time as Unbound's, but that service is disabled by default, so
installation doesn't cause a failed service [1].
The systemd error traces back to [2]. The git history is extremely
light on context. However, we can glean something from the resolved
manpage to explain resolvectl's requirement that DNS server addresses
be associated with network interfaces [3]. There's a more complete
discussion of this at [4]. TL;DR there isn't an equivalent to adding a
global DNS server via `resolvectl` as is done with resolvconf [5][6].
Upstream recommends setting DNS=127.0.0.1 in resolved.conf [7]. We
could ship a drop-in:
# /usr/lib/systemd/resolved.conf.d/10-unbound.conf
[Resolve]
DNS=127.0.0.1
That would make this "just work" with resolved. This would break if
the user configured Unbound not to listen on localhost without
overriding the drop-in (that case is handled automatically by
unbound-resolvconf.service [8]).
It also seems that using resolvconf instead of resolved is still valid
in Debian (please correct me if I'm wrong), so we shouldn't remove
unbound-resolvconf.service entirely. I've included a diff in this bug
report that installs but disables the service by default (same as
bind9). I've tested that the fix prevents a failed service after
reboot.
However, if we disable unbound-resolvconf.service by default, then I'm
not sure I see the point of adding a drop-in (for consistency).
Alternatively, the service could be configured to detect if resolvconf
is provided by resolved, and exit cleanly if so (or add a drop-in in
/run; sounds problematic for reloading resolved config). I'd
appreciate hearing someone else's perspective on this. Happy to put up
an MR in Salsa if that would be more helpful.
Thanks!
~Wesley Hershberger
Canonical Support
[1]
https://salsa.debian.org/dns-team/bind9/-/blob/debian/9.20/debian/rules?ref_type=heads#L111
[2]
https://github.com/systemd/systemd/blob/main/src/network/networkd-link-bus.c#L71
[3]
https://manpages.debian.org/bookworm/systemd-resolved/systemd-resolved.8.en.html#PROTOCOLS_AND_ROUTING
[4] https://github.com/systemd/systemd/issues/33973#issuecomment-2711105548
[5] https://manpages.debian.org/testing/resolvconf/resolvconf.8.en.html#OPTIONS
[6] https://manpages.debian.org/testing/manpages/resolv.conf.5.en.html
[7] https://unbound.docs.nlnetlabs.nl/en/latest/use-cases/local-stub.html#ubuntu
[8]
https://salsa.debian.org/dns-team/unbound/-/blob/master/debian/unbound-helper?ref_type=heads#L29
diff --git a/debian/rules b/debian/rules
index bb1efdc3e..810283f09 100755
--- a/debian/rules
+++ b/debian/rules
@@ -107,8 +107,8 @@ ifeq (,${libonly})
install -Dp -m 0644 debian/apparmor-profile
debian/unbound/etc/apparmor.d/usr.sbin.unbound
dh_apparmor --profile-name=usr.sbin.unbound -punbound
- dh_installsystemd -punbound
- dh_installsystemd -punbound --name=unbound-resolvconf --no-start
--no-stop-on-upgrade
+ dh_installsystemd -punbound unbound.service
+ dh_installsystemd -punbound --no-enable --name=unbound-resolvconf
--no-stop-on-upgrade unbound-resolvconf.service
dh_installinit --error-handler=true --restart-after-upgrade
install -d debian/unbound/etc/insserv.conf.d
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.25.0-1
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 15:45:07 +0300
Source: unbound
Architecture: source
Version: 1.25.0-1
Distribution: unstable
Urgency: medium
Maintainer: unbound packagers <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1106186
Changes:
unbound (1.25.0-1) unstable; urgency=medium
.
[ Michael Tokarev ]
* new upstream release
* replace-deprecated-function-by-new-action.patch: remove
* d/unbound.service: set empty DAEMON_OPTS= to avoid warning from systemd
* unbound-helper: do not update resolvconf if it is systemd-resolved
(Closes: #1106186)
* d/upstream/signing-key.asc: update with the new upstream key
.
[ Luca Boccassi ]
* Install and use sysusers.d/tmpfiles.d config files
Checksums-Sha1:
fc4418cfdc7b252c8f620745cf946456c2b14018 3319 unbound_1.25.0-1.dsc
b67efd0c6a0330335a37af00414f398b02245159 6818581 unbound_1.25.0.orig.tar.gz
e22c94df8e3795840268e479aa25faddfa48164e 659 unbound_1.25.0.orig.tar.gz.asc
09345ad356baf56508a4d39b335e2a64f8cafef4 28192 unbound_1.25.0-1.debian.tar.xz
5076f133a6a6314cbec7da7e335caabfb3d58f79 6880 unbound_1.25.0-1_source.buildinfo
Checksums-Sha256:
d305dd5ff3da5dfcb632bd713a3db3549bc0f3582b8506c00c736166fb9a904b 3319
unbound_1.25.0-1.dsc
062a6eda723fe2f041bee4079b76981569f1d12e066bbd74800242fc1ebddec7 6818581
unbound_1.25.0.orig.tar.gz
ce18191f23b303f0b12a84ca2c2fa787b928d70b2b717c52650246ece618bbc3 659
unbound_1.25.0.orig.tar.gz.asc
d10523dd4a55ba421ad677cdcb651190a4444f0a720b156646b1bec6cb7c1dc7 28192
unbound_1.25.0-1.debian.tar.xz
b417c275539f77e0dea610effaa8d6c9f80cee3a379faeedb70b25e0e7243ed8 6880
unbound_1.25.0-1_source.buildinfo
Files:
0a63ced6ac3e84026dc6324c5f47cb4d 3319 net optional unbound_1.25.0-1.dsc
b2fedd4091e98f1ff18135a53469865a 6818581 net optional
unbound_1.25.0.orig.tar.gz
693402dd70ab546442c19d814f3876b8 659 net optional
unbound_1.25.0.orig.tar.gz.asc
cc5237c148005dbca6e8fc4ccf3c5c5a 28192 net optional
unbound_1.25.0-1.debian.tar.xz
7c25e837e9e748f5ef859c111f6ef9c2 6880 net optional
unbound_1.25.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJp+eZhCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcumfdR6S4EiCRGvZ1NYsXGEC8ukj5mViXbthQTJGxK
MBYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AABHyA//WzSJG8p1T05MePDMJnxAQYaV
TsM/80p4dMOMWtDIfD8FQpzl1007o2JwDqpWNrX/flh7AWZT07pHbO38ksMD5dn0
qibT3iL3A+0tbvG8uA7+/XGczGj9R/LrIxBcbKgArjD2ojmsIkqyziip7WYRj1pW
blxilfCZDPKH7JbAg632xRh9guBYtdItOq7nDrnKr1Td0C2Jf29JnmGflD3zlZPA
0XUJVUjaxlaohx6BMglGwrYTWZIWyp0dgwh3tutdi4xDn/2yuMFfkCJx0Bzbj/oI
wpGRb4fq0TDpEuE5ZJVbWm0HswgJGEkvQ4VTNzM+sWZ4hC1b07G6NvUyg2ONqnTJ
BztiIygu0G3M7163AtJJ/cB8uiqsnqI5rWR/3NfaqH1fYFTmC43gnPdchuL/GmuK
W0H/gj6ZHed45axeiznd9FLtc35uvJHWu9rw77VCu/mXRBu3yp509bvbMImBjo5r
A0ubX1BfJDdnquCH3ZoRjCt7fH24b87+WYe5hY2qr1cNDC99UrKhG/CXhOAN1HaS
9tbHhjmSd4cAQ+aBMVYvVz2w09Me09d377ot7oQSePUWgCtwoRaLaBOoamoTpVr/
wZSiz574dUriMe/FhjLRjSfqLYaiy7/te4Zegm2jvqN26986iNJTCj0yaIMNT7PC
yrUdUse31SIkEBLcMH4=
=DR1e
-----END PGP SIGNATURE-----
pgpOdShVylw9X.pgp
Description: PGP signature
--- End Message ---
