Michael Biebl wrote: > Am 09.07.2016 um 23:36 schrieb Robert Edmonds: > > But it looks like “systemctl restart unbound“ takes 90 seconds to > > complete, though it eventually exits with return code 0. When “systemctl > > restart unbound“ is running, I see the following initially printed to > > the journal: > > .. > > > I'm not quite sure what the issue is. Any ideas? This is on an > > up-to-date stretch VM, with these unbound packages installed: > > > > https://people.debian.org/~edmonds/build/unbound/1.5.9-2/ > > > > along with resolvconf and postfix from testing. > > > I did test those packages on a clean, up-to-date stretch system, where I ran > apt install unbound resolvconf postfix > reboot > <login> > systemctl restart unbound > > That worked just fine without delay.
Hi, Michael: It appears postfix introduced native systemd unit files in version 3.1.0-3.1, which migrated to testing a day before your email, and a few days after mine. So you must have been testing postfix with the new unit files, and I was testing postfix with the old sysvinit scripts. So we were both testing on up-to-date stretch systems :-) > So I'm unable to reproduce the problem and from my POV the packages > would be good to go. OK, I'll try it again. I installed a fresh stretch VM from scratch. I have these packages installed: * unreleased unbound (from p.d.o/~edmonds/build/unbound/1.5.9-2/) * postfix 3.1.0-3.1 * resolvconf 1.79 I do see “systemctl restart unbound” returning instantly now, and unbound-resolvconf.service is running and causing /etc/resolv.conf to be updated. However, it looks like the copy of resolv.conf inside postfix's chroot *is not being updated*, which appears to be the whole point of postfix's resolvconf hook. If that doesn't happen, then postfix won't have working name resolution(!). Here is with a freshly booted system: root@unbound:~# stat '--format=%n: %y' /etc/resolvconf/run/resolv.conf /var/spool/postfix/etc/resolv.conf /etc/resolvconf/run/resolv.conf: 2016-07-16 17:35:53.372000000 +0000 /var/spool/postfix/etc/resolv.conf: 2016-07-16 17:35:52.984000000 +0000 root@unbound:~# head -999 /etc/resolv.conf /var/spool/postfix/etc/resolv.conf ==> /etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net ==> /var/spool/postfix/etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN root@unbound:~# It looks like postfix is starting early enough that it copies resolv.conf into its chroot before resolv.conf has usable content, and then when resolvconf does get updated, the postfix resolvconf hook either isn't being invoked, or is being invoked but is not successfully performing the copy. Manually restarting unbound also doesn't cause postfix's copy of resolv.conf to be updated: root@unbound:~# systemctl restart unbound root@unbound:~# stat '--format=%n: %y' /etc/resolvconf/run/resolv.conf /var/spool/postfix/etc/resolv.conf /etc/resolvconf/run/resolv.conf: 2016-07-16 17:38:51.287627372 +0000 /var/spool/postfix/etc/resolv.conf: 2016-07-16 17:35:52.984000000 +0000 root@unbound:~# head -999 /etc/resolv.conf /var/spool/postfix/etc/resolv.conf ==> /etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net ==> /var/spool/postfix/etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN root@unbound:~# When I run the postfix resolvconf hook by hand, it does cause the postfix chroot's resolv.conf to be updated: root@unbound:~# head -999 /etc/resolv.conf /var/spool/postfix/etc/resolv.conf ==> /etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net ==> /var/spool/postfix/etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN root@unbound:~# sh -x /etc/resolvconf/update-libc.d/postfix + service postfix status + /usr/sbin/postconf -h queue_directory + QUEUEDIR=/var/spool/postfix + [ -n /var/spool/postfix ] + cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf + service postfix reload + exit 0 root@unbound:~# head -999 /etc/resolv.conf /var/spool/postfix/etc/resolv.conf ==> /etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net ==> /var/spool/postfix/etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net root@unbound:~# However, I don't see any entries in the journal about postfix being reloaded when unbound or unbound-resolvconf are restarted. I went looking in postfix's bugs for issues related to systemd and found #831026 (“Please propagate reload request to all instances”) which sounds like it might be related. But after applying the patch in that bug, it didn't make a difference: root@unbound:~# systemctl cat postfix@-.service # /lib/systemd/system/postfix@.service [Unit] Description=Postfix Mail Transport Agent (instance %i) Documentation=man:postfix(1) PartOf=postfix.service ►►► ReloadPropagatedFrom=postfix.service [Service] Type=forking GuessMainPID=no ExecStartPre=/usr/lib/postfix/configure-instance.sh %i ExecStart=/usr/sbin/postmulti -i %i -p start ExecStop=/usr/sbin/postmulti -i %i -p stop ExecReload=/usr/sbin/postmulti -i %i -p reload [Install] WantedBy=multi-user.target root@unbound:~# stat '--format=%n: %y' /etc/resolvconf/run/resolv.conf /var/spool/postfix/etc/resolv.conf /etc/resolvconf/run/resolv.conf: 2016-07-16 17:48:27.576000000 +0000 /var/spool/postfix/etc/resolv.conf: 2016-07-16 17:48:27.052000000 +0000 root@unbound:~# head -999 /etc/resolv.conf /var/spool/postfix/etc/resolv.conf ==> /etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net ==> /var/spool/postfix/etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN root@unbound:~# systemctl restart unbound root@unbound:~# systemctl status unbound ● unbound.service - Unbound DNS server Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled) Drop-In: /run/systemd/generator/unbound.service.d └─50-insserv.conf-$named.conf, 50-unbound-$named.conf Active: active (running) since Sat 2016-07-16 17:50:23 UTC; 48s ago Process: 1918 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS) Process: 1914 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS) Main PID: 1924 (unbound) CGroup: /system.slice/unbound.service └─1924 /usr/sbin/unbound -d Jul 16 17:50:23 unbound systemd[1]: Stopped Unbound DNS server. Jul 16 17:50:23 unbound systemd[1]: Starting Unbound DNS server... Jul 16 17:50:23 unbound package-helper[1918]: /var/lib/unbound/root.key has content Jul 16 17:50:23 unbound package-helper[1918]: success: the anchor is ok Jul 16 17:50:23 unbound systemd[1]: Started Unbound DNS server. Jul 16 17:50:23 unbound unbound[1924]: [1924:0] notice: init module 0: validator Jul 16 17:50:23 unbound unbound[1924]: [1924:0] notice: init module 1: iterator Jul 16 17:50:23 unbound unbound[1924]: [1924:0] info: start of service (unbound 1.5.9). root@unbound:~# stat '--format=%n: %y' /etc/resolvconf/run/resolv.conf /var/spool/postfix/etc/resolv.conf /etc/resolvconf/run/resolv.conf: 2016-07-16 17:50:23.880574422 +0000 /var/spool/postfix/etc/resolv.conf: 2016-07-16 17:48:27.052000000 +0000 root@unbound:~# head -999 /etc/resolv.conf /var/spool/postfix/etc/resolv.conf ==> /etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net ==> /var/spool/postfix/etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN root@unbound:~# So, now I did a huge hack. In /sbin/resolvconf I replaced “run-parts” with “run-parts --verbose”; in /etc/resolvconf/update.d/libc I added -x to the shebang line and replaced “run-parts” with “run-parts --verbose”; in /etc/resolvconf/update-libc.d/postfix I changed “-e” to “-ex” on the shebang line. Now, after a fresh boot I see the following journal output for unbound-resolvconf.service: root@unbound:~# systemctl status -n 1000 -l unbound-resolvconf.service --no-pager ● unbound-resolvconf.service - Unbound DNS server via resolvconf Loaded: loaded (/lib/systemd/system/unbound-resolvconf.service; enabled; vendor preset: enabled) Active: active (exited) since Sat 2016-07-16 18:14:07 UTC; 3min 23s ago Main PID: 1693 (code=exited, status=0/SUCCESS) Jul 16 18:14:07 unbound systemd[1]: Started Unbound DNS server via resolvconf. Jul 16 18:14:07 unbound package-helper[1693]: run-parts: executing /etc/resolvconf/update.d/libc -a lo.unbound Jul 16 18:14:07 unbound package-helper[1693]: + set -e Jul 16 18:14:07 unbound package-helper[1693]: + PATH=/sbin:/bin Jul 16 18:14:07 unbound package-helper[1693]: + [ -x /lib/resolvconf/list-records ] Jul 16 18:14:07 unbound package-helper[1693]: + [ -r /etc/default/resolvconf ] Jul 16 18:14:07 unbound package-helper[1693]: + ETC=/etc Jul 16 18:14:07 unbound package-helper[1693]: + ETCRESOLVCONF=/etc/resolvconf Jul 16 18:14:07 unbound package-helper[1693]: + RESOLVCONFDIR=/etc/resolvconf/resolv.conf.d Jul 16 18:14:07 unbound package-helper[1693]: + BASEFILE=/etc/resolvconf/resolv.conf.d/base Jul 16 18:14:07 unbound package-helper[1693]: + HEADFILE=/etc/resolvconf/resolv.conf.d/head Jul 16 18:14:07 unbound package-helper[1693]: + TAILFILE=/etc/resolvconf/resolv.conf.d/tail Jul 16 18:14:07 unbound package-helper[1693]: + DYNAMICRSLVCNFFILE=/etc/resolvconf/run/resolv.conf Jul 16 18:14:07 unbound package-helper[1693]: + TMPFILE=/etc/resolvconf/run/resolv.conf_new.1719 Jul 16 18:14:07 unbound package-helper[1693]: + [ -z ] Jul 16 18:14:07 unbound package-helper[1693]: + [ ] Jul 16 18:14:07 unbound package-helper[1693]: + REPORT_ABSENT_SYMLINK=y Jul 16 18:14:07 unbound package-helper[1693]: + [ -z ] Jul 16 18:14:07 unbound package-helper[1693]: + [ ] Jul 16 18:14:07 unbound package-helper[1693]: + TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS=y Jul 16 18:14:07 unbound package-helper[1693]: + resolv_conf_is_symlinked_to_dynamic_file Jul 16 18:14:07 unbound package-helper[1693]: + [ -L /etc/resolv.conf ] Jul 16 18:14:07 unbound package-helper[1693]: + readlink /etc/resolv.conf Jul 16 18:14:07 unbound package-helper[1693]: + [ /etc/resolvconf/run/resolv.conf = /etc/resolvconf/run/resolv.conf ] Jul 16 18:14:07 unbound package-helper[1693]: + /lib/resolvconf/list-records Jul 16 18:14:07 unbound package-helper[1693]: + RSLVCNFFILES=lo.unbound Jul 16 18:14:07 unbound package-helper[1693]: enp0s3.dhclient Jul 16 18:14:07 unbound package-helper[1693]: + [ -f /etc/resolvconf/resolv.conf.d/base ] Jul 16 18:14:07 unbound package-helper[1693]: + RSLVCNFFILES=lo.unbound Jul 16 18:14:07 unbound package-helper[1693]: enp0s3.dhclient Jul 16 18:14:07 unbound package-helper[1693]: /etc/resolvconf/resolv.conf.d/base Jul 16 18:14:07 unbound package-helper[1693]: + NMSRVRS= Jul 16 18:14:07 unbound package-helper[1693]: + [ lo.unbound Jul 16 18:14:07 unbound package-helper[1693]: enp0s3.dhclient Jul 16 18:14:07 unbound package-helper[1693]: /etc/resolvconf/resolv.conf.d/base ] Jul 16 18:14:07 unbound package-helper[1693]: + sed -n s/^[[:space:]]*nameserver[[:space:]]\+//p lo.unbound enp0s3.dhclient /etc/resolvconf/resolv.conf.d/base Jul 16 18:14:07 unbound package-helper[1693]: + uniquify_nameserver_list 127.0.0.1 75.75.75.75 75.75.76.76 Jul 16 18:14:07 unbound package-helper[1693]: + NMSRVRS= Jul 16 18:14:07 unbound package-helper[1693]: + N=0 Jul 16 18:14:07 unbound package-helper[1693]: + [ 127.0.0.1 ] Jul 16 18:14:07 unbound package-helper[1693]: + NMSRVRS=127.0.0.1 Jul 16 18:14:07 unbound package-helper[1693]: + return 0 Jul 16 18:14:07 unbound package-helper[1693]: + SRCHS= Jul 16 18:14:07 unbound package-helper[1693]: + [ lo.unbound Jul 16 18:14:07 unbound package-helper[1693]: enp0s3.dhclient Jul 16 18:14:07 unbound package-helper[1693]: /etc/resolvconf/resolv.conf.d/base ] Jul 16 18:14:07 unbound package-helper[1693]: + sed -n s/^[[:space:]]*\(\(search\)\|\(domain\)\)[[:space:]]\+//p lo.unbound enp0s3.dhclient /etc/resolvconf/resolv.conf.d/base Jul 16 18:14:07 unbound package-helper[1693]: + uniquify hsd1.ga.comcast.net Jul 16 18:14:07 unbound package-helper[1693]: + RSLT= Jul 16 18:14:07 unbound package-helper[1693]: + local D Jul 16 18:14:07 unbound package-helper[1693]: + [ hsd1.ga.comcast.net ] Jul 16 18:14:07 unbound package-helper[1693]: + D=hsd1.ga.comcast.net Jul 16 18:14:07 unbound package-helper[1693]: + RSLT=hsd1.ga.comcast.net Jul 16 18:14:07 unbound package-helper[1693]: + shift Jul 16 18:14:07 unbound package-helper[1693]: + [ ] Jul 16 18:14:07 unbound package-helper[1693]: + SRCHS=hsd1.ga.comcast.net Jul 16 18:14:07 unbound package-helper[1693]: + trap clean_up EXIT Jul 16 18:14:07 unbound package-helper[1693]: + clean_up Jul 16 18:14:07 unbound package-helper[1693]: + rm -f /etc/resolvconf/run/resolv.conf_new.1719 Jul 16 18:14:07 unbound package-helper[1693]: + : Jul 16 18:14:07 unbound package-helper[1693]: + [ -f /etc/resolvconf/resolv.conf.d/head ] Jul 16 18:14:07 unbound package-helper[1693]: + cat /etc/resolvconf/resolv.conf.d/head Jul 16 18:14:07 unbound package-helper[1693]: + echo nameserver 127.0.0.1 Jul 16 18:14:07 unbound package-helper[1693]: + [ hsd1.ga.comcast.net ] Jul 16 18:14:07 unbound package-helper[1693]: + echo search hsd1.ga.comcast.net Jul 16 18:14:07 unbound package-helper[1693]: + [ lo.unbound Jul 16 18:14:07 unbound package-helper[1693]: enp0s3.dhclient Jul 16 18:14:07 unbound package-helper[1693]: /etc/resolvconf/resolv.conf.d/base ] Jul 16 18:14:07 unbound package-helper[1693]: + sed -e /^[[:space:]]*$/d -e /^[[:space:]]*#/d -e /^[[:space:]]*\(\(nameserver\)\|\(search\)\|\(domain\)\)[[:space:]]/d lo.unbound enp0s3.dhclient /etc/resolvconf/resolv.conf.d/base Jul 16 18:14:07 unbound package-helper[1693]: + [ -f /etc/resolvconf/resolv.conf.d/tail ] Jul 16 18:14:07 unbound package-helper[1693]: + cat /etc/resolvconf/resolv.conf.d/tail Jul 16 18:14:07 unbound package-helper[1693]: + [ -f /etc/resolvconf/run/resolv.conf ] Jul 16 18:14:07 unbound package-helper[1693]: + cat /etc/resolvconf/run/resolv.conf_new.1719 Jul 16 18:14:07 unbound package-helper[1693]: + cat /etc/resolvconf/run/resolv.conf Jul 16 18:14:07 unbound package-helper[1693]: + [ # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) Jul 16 18:14:07 unbound package-helper[1693]: # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN Jul 16 18:14:07 unbound package-helper[1693]: nameserver 127.0.0.1 Jul 16 18:14:07 unbound package-helper[1693]: search hsd1.ga.comcast.net = # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) Jul 16 18:14:07 unbound package-helper[1693]: # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN Jul 16 18:14:07 unbound package-helper[1693]: nameserver 75.75.75.75 Jul 16 18:14:07 unbound package-helper[1693]: nameserver 75.75.76.76 Jul 16 18:14:07 unbound package-helper[1693]: search hsd1.ga.comcast.net ] Jul 16 18:14:07 unbound package-helper[1693]: + mv -f /etc/resolvconf/run/resolv.conf_new.1719 /etc/resolvconf/run/resolv.conf Jul 16 18:14:07 unbound package-helper[1693]: + resolv_conf_is_symlinked_to_dynamic_file Jul 16 18:14:07 unbound package-helper[1693]: + [ -L /etc/resolv.conf ] Jul 16 18:14:07 unbound package-helper[1693]: + readlink /etc/resolv.conf Jul 16 18:14:07 unbound package-helper[1693]: + [ /etc/resolvconf/run/resolv.conf = /etc/resolvconf/run/resolv.conf ] Jul 16 18:14:07 unbound package-helper[1693]: + [ -d /etc/resolvconf/update-libc.d ] Jul 16 18:14:07 unbound package-helper[1693]: + exec run-parts --verbose /etc/resolvconf/update-libc.d Jul 16 18:14:07 unbound package-helper[1693]: run-parts: executing /etc/resolvconf/update-libc.d/postfix Jul 16 18:14:07 unbound package-helper[1693]: + service postfix status Jul 16 18:14:07 unbound package-helper[1693]: + exit 0 root@unbound:~# The last few lines are the key part, I think: Jul 16 18:14:07 unbound package-helper[1693]: run-parts: executing /etc/resolvconf/update-libc.d/postfix Jul 16 18:14:07 unbound package-helper[1693]: + service postfix status Jul 16 18:14:07 unbound package-helper[1693]: + exit 0 The 'service postfix status' fails, and the hook script takes the first '|| exit 0' short circuit out of the script. Why does it fail though? I removed the '>/dev/null 2>&1' redirections from the postfix hook script. Now I get: Jul 16 18:22:17 unbound package-helper[2408]: run-parts: executing /etc/resolvconf/update-libc.d/postfix Jul 16 18:22:17 unbound package-helper[2408]: + service postfix status Jul 16 18:22:17 unbound package-helper[2408]: /etc/resolvconf/update-libc.d/postfix: 5: /etc/resolvconf/update-libc.d/postfix: service: not found Jul 16 18:22:17 unbound package-helper[2430]: + exit 0 That's weird, 'service' is in /usr/sbin… So I edited the hook script to print $PATH: Jul 16 18:22:37 unbound package-helper[2484]: run-parts: executing /etc/resolvconf/update-libc.d/postfix Jul 16 18:22:37 unbound package-helper[2484]: + echo /sbin:/bin Jul 16 18:22:37 unbound package-helper[2484]: /sbin:/bin Jul 16 18:22:37 unbound package-helper[2484]: + service postfix status Jul 16 18:22:37 unbound package-helper[2484]: /etc/resolvconf/update-libc.d/postfix: 7: /etc/resolvconf/update-libc.d/postfix: service: not found Jul 16 18:22:37 unbound package-helper[2484]: + exit 0 So, 'service' is in /usr/sbin, but /usr/sbin is not in $PATH, and 'service' is not invoked with an absolute path. Then I edited the hook script to fix $PATH: Jul 16 18:32:01 unbound package-helper[1721]: run-parts: executing /etc/resolvconf/update-libc.d/postfix Jul 16 18:32:01 unbound package-helper[1721]: + export PATH=/usr/sbin:/usr/bin:/sbin:/bin Jul 16 18:32:01 unbound package-helper[1721]: + /usr/sbin/service postfix status Jul 16 18:32:01 unbound package-helper[1721]: + /usr/sbin/postconf -h queue_directory Jul 16 18:32:01 unbound package-helper[1721]: + QUEUEDIR=/var/spool/postfix Jul 16 18:32:01 unbound package-helper[1721]: + [ -n /var/spool/postfix ] Jul 16 18:32:01 unbound package-helper[1721]: + cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf Jul 16 18:32:01 unbound package-helper[1721]: + /usr/sbin/service postfix reload Jul 16 18:32:01 unbound package-helper[1721]: + exit 0 That seems to work. Now on boot, and whenever unbound is restarted, the postfix chroot is picking up the changes to resolv.conf: root@unbound:~# head -999 /etc/resolv.conf /var/spool/postfix/etc/resolv.conf ==> /etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net ==> /var/spool/postfix/etc/resolv.conf <== # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 search hsd1.ga.comcast.net root@unbound:~# So it looks like at some point postfix's resolvconf hook has become buggy (or has always been buggy?), and no longer works when restarted by the unbound-resolvconf.service unit file. (Maybe $PATH was different in the postfix resolvconf hook when unbound used a sysvinit script to invoke resolvconf.) Anyway, this needs to be fixed before I can upload an unbound package with native service units. I can't upload an unbound that breaks postfix. Does the fix need to go in the unbound or resolvconf or postfix package? -- Robert Edmonds edmo...@debian.org