Re: unbound and (isc) dhcpd startup order
> On Wed, 17 Jun 2020 10:33:59 -0700 (PDT) Rodney W. Grimes > freebsd-...@gndrsh.dnsmgr.net said > > > > > > > On (06/16/20 08:14), Rodney W. Grimes wrote: > > >>Ok, well, I just thought of one and not sure if it is an issue or not, > > >>doesng unbound have the ability to specify interfaces? If so those > > >>may not exist until NETWORKING has run? > > > > > > > > > > Unbound isn't really going to do anything useful without the network. I > > > don't think it is unreasonable that it should depend on NETWORKING. > > > > Well then the current setup for local_unbound is counter to that, > > as it is BEFORE: NETWORKING > > > > > I think we're in an edge case here and, perhaps, a better solution might > > > be to have someone(tm) add in support in rc.conf to specify dependency > > > overrides. > > > > dns and configuration are a chicken/egg problem, not really an edge > > case, and a person must make a decision as to how to deal with that. > > > > > > > > So, perhaps you could set: > > > > > > dhcpd_after="unbound" > > > > > > Which would factor into the rcorder processing and make sure that dhcpd > > > starts after unbound. > > > > > > This would allow people to fine-tune things when they run into cases > > > like this. > > > > Even beside the unbound problem, this is a good idea. It would > > fix my "I need ipfw before routing as without ipfw my ospf packets > > get blocked and things take much longer to come up problem." > Honestly. I'm really inclined to agree with Rodney. rcorder should > really be a more fine-grained utility. > What about something like: > BEFORE: NETWORKING: pf > or > BEFORE: NETWORKING: ipfw > or > BEFORE: NETWORKING: unbound > etc, etc... > I think there *may* be a better direction. *But* this, at least > should be an easy direction to add with few repercussions. Yes? I do not see your fine graining, the above can be expressed already with just the pf, ipfw or unbound keyword can't they? Though I do think we need to maybe find ways to alter what the default values for BEFORE: and REQUIRE: are in the /etc/rc.d files. As my example I use the fact I have to add ipfw to rc.d/routing as it is problematic getting a routing protocol (ospf, bgp, ripv2) to come up when the firewall is blocking all the packets. It eventuly sorts itself out, but its ugly on the console and on the wire. > > > > > > > -r > > > > > > The idea that a daemon that depends on the network being functional > > > >> > > >> On a related note, unbound rc script provides "unbound" > > > >> service. > > > >> > > >> I think that maybe it should provide something more generic > > > >> such > > > as "nameserver" > > > >> > > >> or "dns-server" (not sure if there is an established name for > > > that). > > > >> > > >> The reason I am saying this is that, IMO, if unbound is > > > >> replaced > > > with some other > > > >> > > >> name server implementation the rc dependency chains should stay > > > the same. > > > >> > > > > > > >> > > > I do not see anything in the base system that uses unbound or > > > local_unbound > > > >> > > > service name, so this looks like it could be straightforward, > > > though there > > > >> > > > may be some ports that have use of this token. > > > >> > > > > > > >> > > > For the blue bikeshed I find that "server" is just noise in the > > > token > > > >> > > > and that "dns" already has "s" for system, so just "dns" is good > > > with me :-) > > > >> > > > > > >> > > That's a good point. > > > >> > > > >> I don't agree. The term dns is too generic. People are often running > > > >> dfferent nameservers on the same machine, as example: authoritative > > > >> and nonauthoritative (e.g. nsd & unbound). > > > > > > >>Given examples by others your right, we can not put all of these > > >>behind the knob "dns". > > > > > > > >> Regards, > > > >>jaap > > >>-- > > >>Rod Grimes > > >rgri...@freebsd.org > > > > > > -- > > > Ryan Steinmetz > > > PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7 > > > > > > > -- > > Rod Grimes > > rgri...@freebsd.org > > --Chris > > > > -- Rod Grimes rgri...@freebsd.org ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On Wed, 17 Jun 2020 10:33:59 -0700 (PDT) Rodney W. Grimes freebsd-...@gndrsh.dnsmgr.net said > > On (06/16/20 08:14), Rodney W. Grimes wrote: >>Ok, well, I just thought of one and not sure if it is an issue or not, >>doesng unbound have the ability to specify interfaces? If so those >>may not exist until NETWORKING has run? > > > > Unbound isn't really going to do anything useful without the network. I > don't think it is unreasonable that it should depend on NETWORKING. Well then the current setup for local_unbound is counter to that, as it is BEFORE: NETWORKING > I think we're in an edge case here and, perhaps, a better solution might > be to have someone(tm) add in support in rc.conf to specify dependency > overrides. dns and configuration are a chicken/egg problem, not really an edge case, and a person must make a decision as to how to deal with that. > > So, perhaps you could set: > > dhcpd_after="unbound" > > Which would factor into the rcorder processing and make sure that dhcpd > starts after unbound. > > This would allow people to fine-tune things when they run into cases > like this. Even beside the unbound problem, this is a good idea. It would fix my "I need ipfw before routing as without ipfw my ospf packets get blocked and things take much longer to come up problem." Honestly. I'm really inclined to agree with Rodney. rcorder should really be a more fine-grained utility. What about something like: BEFORE: NETWORKING: pf or BEFORE: NETWORKING: ipfw or BEFORE: NETWORKING: unbound etc, etc... I think there *may* be a better direction. *But* this, at least should be an easy direction to add with few repercussions. Yes? > -r > > The idea that a daemon that depends on the network being functional > >> > > >> On a related note, unbound rc script provides "unbound" service. > >> > > >> I think that maybe it should provide something more generic such > as "nameserver" > >> > > >> or "dns-server" (not sure if there is an established name for > that). > >> > > >> The reason I am saying this is that, IMO, if unbound is replaced > with some other > >> > > >> name server implementation the rc dependency chains should stay > the same. > >> > > > > >> > > > I do not see anything in the base system that uses unbound or > local_unbound > >> > > > service name, so this looks like it could be straightforward, > though there > >> > > > may be some ports that have use of this token. > >> > > > > >> > > > For the blue bikeshed I find that "server" is just noise in the > token > >> > > > and that "dns" already has "s" for system, so just "dns" is good > with me :-) > >> > > > >> > > That's a good point. > >> > >> I don't agree. The term dns is too generic. People are often running > >> dfferent nameservers on the same machine, as example: authoritative > >> and nonauthoritative (e.g. nsd & unbound). > > >>Given examples by others your right, we can not put all of these >>behind the knob "dns". > > > >> Regards, > >> jaap >>-- >>Rod Grimes >rgri...@freebsd.org > > -- > Ryan Steinmetz > PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7 > -- Rod Grimes rgri...@freebsd.org --Chris ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
> On Tue, Jun 16, 2020 at 08:18:59AM -0700, Rodney W. Grimes wrote: > > ... Sometimes > > that leads to duplicate IP information stored in various config files. > > > > When possible managing those configuraitons via ansible or other CM > > system that can pull the data from dns and build the config files > > minimizes the work to keep it all up to date. > > Would defining a variable in /etc/rc.conf help? Don't most/all rc.d scripts > end up sourcing it? Works for me in my local startups. No as it is usually .conf files that need this info, and those do not source rc.conf. Almost any routing protocol configuration needs access to this data, dhcpd.conf is another one. This particular one, wanting to use names in a name service itself is particularly hard to deal with. -- Rod Grimes rgri...@freebsd.org ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
> > On (06/16/20 08:14), Rodney W. Grimes wrote: > >Ok, well, I just thought of one and not sure if it is an issue or not, > >doesng unbound have the ability to specify interfaces? If so those > >may not exist until NETWORKING has run? > > > > Unbound isn't really going to do anything useful without the network. I > don't think it is unreasonable that it should depend on NETWORKING. Well then the current setup for local_unbound is counter to that, as it is BEFORE: NETWORKING > I think we're in an edge case here and, perhaps, a better solution might > be to have someone(tm) add in support in rc.conf to specify dependency > overrides. dns and configuration are a chicken/egg problem, not really an edge case, and a person must make a decision as to how to deal with that. > > So, perhaps you could set: > > dhcpd_after="unbound" > > Which would factor into the rcorder processing and make sure that dhcpd > starts after unbound. > > This would allow people to fine-tune things when they run into cases > like this. Even beside the unbound problem, this is a good idea. It would fix my "I need ipfw before routing as without ipfw my ospf packets get blocked and things take much longer to come up problem." > -r > > The idea that a daemon that depends on the network being functional > >> > > >> On a related note, unbound rc script provides "unbound" service. > >> > > >> I think that maybe it should provide something more generic such > >> as "nameserver" > >> > > >> or "dns-server" (not sure if there is an established name for > >> that). > >> > > >> The reason I am saying this is that, IMO, if unbound is replaced > >> with some other > >> > > >> name server implementation the rc dependency chains should stay > >> the same. > >> > > > > >> > > > I do not see anything in the base system that uses unbound or > >> local_unbound > >> > > > service name, so this looks like it could be straightforward, > >> though there > >> > > > may be some ports that have use of this token. > >> > > > > >> > > > For the blue bikeshed I find that "server" is just noise in the > >> token > >> > > > and that "dns" already has "s" for system, so just "dns" is good > >> with me :-) > >> > > > >> > > That's a good point. > >> > >> I don't agree. The term dns is too generic. People are often running > >> dfferent nameservers on the same machine, as example: authoritative > >> and nonauthoritative (e.g. nsd & unbound). > > > >Given examples by others your right, we can not put all of these > >behind the knob "dns". > > > >> Regards, > >>jaap > >-- > >Rod Grimes > >rgri...@freebsd.org > > -- > Ryan Steinmetz > PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7 > -- Rod Grimes rgri...@freebsd.org ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
Andriy Gapon writes: > On 15/06/2020 17:35, Jaap Akkerhuis wrote: > > If you want the port to change, send a PR for the port so I won't forget > > this. > > Done. > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247305 Thanks, will have a look soon. jaap ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On (06/15/20 16:35), Jaap Akkerhuis wrote: "Rodney W. Grimes" writes: > Um, yea, I guess the bigger question is why is the port different > than the base system in this respect? The the unbound port existed years before it was decided that unbound should replace bind in the base system. If you want the port to change, send a PR for the port so I won't forget this. > > I would expect unbound to be the same, as unbound_local in almost > every respect, especially with respect to its startup sequencing, > providers and requires. Not really. For a start, the port has a different default configuration then the one in base. > > > > I seen no problem in adding a BEFORE: NETWORKING to the port, covering > > > a larger number of casses than your narrow BEFORE: dhcpd. I don't see a problem either. afaik unbound still tries to refresh its trust anchor at start (or can). This won't work without NETWORKING. -r > > >> On a related note, unbound rc script provides "unbound" service. > > >> I think that maybe it should provide something more generic such as "nameserver" > > >> or "dns-server" (not sure if there is an established name for that). > > >> The reason I am saying this is that, IMO, if unbound is replaced with some other > > >> name server implementation the rc dependency chains should stay the same. > > > > > > I do not see anything in the base system that uses unbound or local_unbound > > > service name, so this looks like it could be straightforward, though there > > > may be some ports that have use of this token. > > > > > > For the blue bikeshed I find that "server" is just noise in the token > > > and that "dns" already has "s" for system, so just "dns" is good with me :-) > > > > That's a good point. I don't agree. The term dns is too generic. People are often running dfferent nameservers on the same machine, as example: authoritative and nonauthoritative (e.g. nsd & unbound). Regards, jaap -- Ryan Steinmetz PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On Tue, 16 Jun 2020 12:36:19 -0400 Ryan Steinmetz wrote: > On (06/16/20 08:14), Rodney W. Grimes wrote: > >Ok, well, I just thought of one and not sure if it is an issue or > >not, doesng unbound have the ability to specify interfaces? If so > >those may not exist until NETWORKING has run? > > > > Unbound isn't really going to do anything useful without the network. > I don't think it is unreasonable that it should depend on NETWORKING. > > I think we're in an edge case here and, perhaps, a better solution > might be to have someone(tm) add in support in rc.conf to specify > dependency overrides. > > So, perhaps you could set: > > dhcpd_after="unbound" > > Which would factor into the rcorder processing and make sure that > dhcpd starts after unbound. > > This would allow people to fine-tune things when they run into cases > like this. Exactly my thoughts for a while now. There are more examples like this (e.g., you run a service and host the database in the same jail/on the same machine, you want to have a dependency on the database being up, etc.). Never found the time to look into it though. Cheers, Michael -- Michael Gmelin ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On Tue, Jun 16, 2020 at 08:18:59AM -0700, Rodney W. Grimes wrote: > ... Sometimes > that leads to duplicate IP information stored in various config files. > > When possible managing those configuraitons via ansible or other CM > system that can pull the data from dns and build the config files > minimizes the work to keep it all up to date. Would defining a variable in /etc/rc.conf help? Don't most/all rc.d scripts end up sourcing it? Works for me in my local startups. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On (06/16/20 08:14), Rodney W. Grimes wrote: Ok, well, I just thought of one and not sure if it is an issue or not, doesng unbound have the ability to specify interfaces? If so those may not exist until NETWORKING has run? Unbound isn't really going to do anything useful without the network. I don't think it is unreasonable that it should depend on NETWORKING. I think we're in an edge case here and, perhaps, a better solution might be to have someone(tm) add in support in rc.conf to specify dependency overrides. So, perhaps you could set: dhcpd_after="unbound" Which would factor into the rcorder processing and make sure that dhcpd starts after unbound. This would allow people to fine-tune things when they run into cases like this. -r The idea that a daemon that depends on the network being functional > > >> On a related note, unbound rc script provides "unbound" service. > > >> I think that maybe it should provide something more generic such as "nameserver" > > >> or "dns-server" (not sure if there is an established name for that). > > >> The reason I am saying this is that, IMO, if unbound is replaced with some other > > >> name server implementation the rc dependency chains should stay the same. > > > > > > I do not see anything in the base system that uses unbound or local_unbound > > > service name, so this looks like it could be straightforward, though there > > > may be some ports that have use of this token. > > > > > > For the blue bikeshed I find that "server" is just noise in the token > > > and that "dns" already has "s" for system, so just "dns" is good with me :-) > > > > That's a good point. I don't agree. The term dns is too generic. People are often running dfferent nameservers on the same machine, as example: authoritative and nonauthoritative (e.g. nsd & unbound). Given examples by others your right, we can not put all of these behind the knob "dns". Regards, jaap -- Rod Grimes rgri...@freebsd.org -- Ryan Steinmetz PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
> On 15/06/20 14:47, Andriy Gapon wrote: > > On 15/06/2020 14:48, Eugene Grosbein wrote: > >> 15.06.2020 13:10, Andriy Gapon wrote: > >> > >>> I am configuring a small LAN -- mostly a gateway / router for it -- and I > >>> am > >>> using unbound for a local DNS and isc-dhcp44-server for DHCP. > >>> I have a few hosts with static IP addresses (for various reasons). > >>> So, in unbound.conf I have an entry like > >>> local-data: "hipster.home.arpa. IN A 192.168.0.222" > >> > >> Consider using /etc/hosts in addition to DNS to solve chicken/egg problem. > >> > >> > > > > Having the same IP in more than one place (on the router) is the thing that > > I'd > > like to avoid in the first place. Otherwise, there is no problem putting > > it in > > hdcpd.conf. > > > > A secondary DNS server could also help, unless both are rebooted at the > same time. Defanitly, that is one solution, but it also has issues like now I need NETWORKING and ROUTING and FIREWALL code all working before I might be able to access that "remote" DNS server. This is one of the things that has lead me to manage systems in a way that I can almost always boot anything with the network disconected and it still comes up with a valid and operation state. Sometimes that leads to duplicate IP information stored in various config files. When possible managing those configuraitons via ansible or other CM system that can pull the data from dns and build the config files minimizes the work to keep it all up to date. > -- > Guido Falsi -- Rod Grimes rgri...@freebsd.org ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
> "Rodney W. Grimes" writes: > > > Um, yea, I guess the bigger question is why is the port different > > than the base system in this respect? > > The the unbound port existed years before it was decided that unbound > should replace bind in the base system. > > If you want the port to change, send a PR for the port so I won't forget this. > > > > > I would expect unbound to be the same, as unbound_local in almost > > every respect, especially with respect to its startup sequencing, > > providers and requires. > > Not really. For a start, the port has a different default configuration > then the one in base. Why does that change the startup order, required and providers? If the rc system is so sensative as to the configuration of daemons/servers we need to add a way to alter these better than editing /etc/rc.d/* files. (Which I present I do only as a last resort and last time I checked I had 2 local mods in there, one mostly case bird takes to long to get going during the routing startup, and one to cause ipfw loading earlier. > > > > > > I seen no problem in adding a BEFORE: NETWORKING to the port, covering > > > > a larger number of casses than your narrow BEFORE: dhcpd. > > I don't see a problem either. Ok, well, I just thought of one and not sure if it is an issue or not, doesng unbound have the ability to specify interfaces? If so those may not exist until NETWORKING has run? > > > >> On a related note, unbound rc script provides "unbound" service. > > > >> I think that maybe it should provide something more generic such as > "nameserver" > > > >> or "dns-server" (not sure if there is an established name for that). > > > >> The reason I am saying this is that, IMO, if unbound is replaced with > some other > > > >> name server implementation the rc dependency chains should stay the > same. > > > > > > > > I do not see anything in the base system that uses unbound or > local_unbound > > > > service name, so this looks like it could be straightforward, though > there > > > > may be some ports that have use of this token. > > > > > > > > For the blue bikeshed I find that "server" is just noise in the token > > > > and that "dns" already has "s" for system, so just "dns" is good with > me :-) > > > > > > That's a good point. > > I don't agree. The term dns is too generic. People are often running > dfferent nameservers on the same machine, as example: authoritative > and nonauthoritative (e.g. nsd & unbound). Given examples by others your right, we can not put all of these behind the knob "dns". > Regards, > jaap -- Rod Grimes rgri...@freebsd.org ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On 15/06/2020 17:35, Jaap Akkerhuis wrote: > If you want the port to change, send a PR for the port so I won't forget this. Done. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247305 -- Andriy Gapon ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On 15/06/20 14:47, Andriy Gapon wrote: > On 15/06/2020 14:48, Eugene Grosbein wrote: >> 15.06.2020 13:10, Andriy Gapon wrote: >> >>> I am configuring a small LAN -- mostly a gateway / router for it -- and I am >>> using unbound for a local DNS and isc-dhcp44-server for DHCP. >>> I have a few hosts with static IP addresses (for various reasons). >>> So, in unbound.conf I have an entry like >>> local-data: "hipster.home.arpa. IN A 192.168.0.222" >> >> Consider using /etc/hosts in addition to DNS to solve chicken/egg problem. >> >> > > Having the same IP in more than one place (on the router) is the thing that > I'd > like to avoid in the first place. Otherwise, there is no problem putting it > in > hdcpd.conf. > A secondary DNS server could also help, unless both are rebooted at the same time. -- Guido Falsi ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
"Rodney W. Grimes" writes: > Um, yea, I guess the bigger question is why is the port different > than the base system in this respect? The the unbound port existed years before it was decided that unbound should replace bind in the base system. If you want the port to change, send a PR for the port so I won't forget this. > > I would expect unbound to be the same, as unbound_local in almost > every respect, especially with respect to its startup sequencing, > providers and requires. Not really. For a start, the port has a different default configuration then the one in base. > > > > I seen no problem in adding a BEFORE: NETWORKING to the port, covering > > > a larger number of casses than your narrow BEFORE: dhcpd. I don't see a problem either. > > >> On a related note, unbound rc script provides "unbound" service. > > >> I think that maybe it should provide something more generic such as > > >> "nameserver" > > >> or "dns-server" (not sure if there is an established name for that). > > >> The reason I am saying this is that, IMO, if unbound is replaced with > > >> some other > > >> name server implementation the rc dependency chains should stay the > > >> same. > > > > > > I do not see anything in the base system that uses unbound or > > > local_unbound > > > service name, so this looks like it could be straightforward, though > > > there > > > may be some ports that have use of this token. > > > > > > For the blue bikeshed I find that "server" is just noise in the token > > > and that "dns" already has "s" for system, so just "dns" is good with me > > > :-) > > > > That's a good point. I don't agree. The term dns is too generic. People are often running dfferent nameservers on the same machine, as example: authoritative and nonauthoritative (e.g. nsd & unbound). Regards, jaap ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On 2020-06-15 16:06, DutchDaemon - FreeBSD Forums Administrator wrote: > BIND serves my domains authoritatively, but does no recursive queries > for anyone. > > Unbound serves the local resolving tasks. > > --- /etc/rc.conf: > > named_enable="YES" > unbound_enable="YES" > > --- /usr/local/etc/named.conf: > > listen-on { xx.22.108.xx; }; > > --- /usr/local/etc/unbound/unbound.conf: > > interface: 127.0.0.1 > > --- /etc/resolv.conf: > > nameserver 127.0.0.1 > > > Works absolutely fine. > > To wit: # sockstat -l4p53 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS unbound unbound 99163 3 udp4 127.0.0.1:53 *:* unbound unbound 99163 4 tcp4 127.0.0.1:53 *:* bind named 56098 36 udp4 84.22.108.242:53 *:* bind named 56098 37 udp4 84.22.108.242:53 *:* bind named 56098 38 tcp4 84.22.108.242:53 *:* bind named 56098 39 tcp4 84.22.108.242:53 *:* bind named 56098 40 tcp4 84.22.108.242:53 *:* signature.asc Description: OpenPGP digital signature
Re: unbound and (isc) dhcpd startup order
On 2020-06-15 15:58, Rodney W. Grimes wrote: > named is specifically the name of the binary included in the bind > product, which included the resolver stub, named, and some other > support utilities like rndc and nslookup. > > It would make since to unify these, though that is going to take > some cafeful thought and co-ordination as to not break peoples > running systems. I suspect the ports conflict stuff is keeping > one from installing unbound, and bind at the same time, arguable > wrong as one should be able to install both, but only run one > at a time, or even run both on different ports. Certainly how I'm doing it: BIND serves my domains authoritatively, but does no recursive queries for anyone. Unbound serves the local resolving tasks. --- /etc/rc.conf: named_enable="YES" unbound_enable="YES" --- /usr/local/etc/named.conf: listen-on { xx.22.108.xx; }; --- /usr/local/etc/unbound/unbound.conf: interface: 127.0.0.1 --- /etc/resolv.conf: nameserver 127.0.0.1 Works absolutely fine. signature.asc Description: OpenPGP digital signature
Re: unbound and (isc) dhcpd startup order
> On 15/06/2020 15:57, Rodney W. Grimes wrote: > >> > >> I am configuring a small LAN -- mostly a gateway / router for it -- and I > >> am > >> using unbound for a local DNS and isc-dhcp44-server for DHCP. > >> I have a few hosts with static IP addresses (for various reasons). > >> So, in unbound.conf I have an entry like > >> local-data: "hipster.home.arpa. IN A 192.168.0.222" > >> and in dhcpd.conf have: > >> host hipster { > >> > >> > >> hardware ethernet 40:74:e0:xx:xx:xx; > >> > >> > >> fixed-address hipster.home.arpa; > >> > >> > >> } > >> > >> I am using a DNS name to avoid hardcoding the same IP address twice. > >> But obviously this depends on the local DNS server starting before the HDCP > >> server if they are on the same host / router. > >> It seems that at the moment there is nothing to ensure that order. > >> > >> For the moment I modified rc.d/unbound to add this line: > >> # BEFORE: dhcpd > > > >>From looking at /etc/rc.d/local_unbound we see: > > # PROVIDE: local_unbound > > # REQUIRE: FILESYSTEMS defaultroute netwait resolv > > # BEFORE: NETWORKING > > # KEYWORD: shutdown > > > > What makes it work for that case is the BEFORE: NETWORKING is that > > line missing for the port version? > > Yes, it is: > # PROVIDE: unbound > # REQUIRE: SERVERS cleanvar > # KEYWORD: shutdown > > If we add BEFORE: NETWORKING then REQUIRE will also have to be adjusted as > it's > impossible to be before NETWORKING and after SERVERS. Um, yea, I guess the bigger question is why is the port different than the base system in this respect? I would expect unbound to be the same, as unbound_local in almost every respect, especially with respect to its startup sequencing, providers and requires. > >> I am not sure if this is the best solution and it's something that can be > >> included into the port. > > > > I think that DNS needs to be started before more than just dhcpd, > > so this is just 1 of many possible cases. This can also be issues > > with almost any network stuff that wants to do stuff by DNS value, > > including the networkself. DNS creates a chicken/egg problem in > > that you may, or may not need the network to resolve names, I have > > always hated that aspect of it. Modern tooling can help, you use > > stuff to build your /etc/rc config files that can me run while the > > network is up and functional so that this entering IP addresses in > > N places is less painful. > > > > I seen no problem in adding a BEFORE: NETWORKING to the port, covering > > a larger number of casses than your narrow BEFORE: dhcpd. > > I agree. > I hope it doesn't break any currently working configurations too. I have no idea how to hunt through ports looking for this. I suppose find all ports that need unbound and see what there startup scripts look like. > >> On a related note, unbound rc script provides "unbound" service. > >> I think that maybe it should provide something more generic such as > >> "nameserver" > >> or "dns-server" (not sure if there is an established name for that). > >> The reason I am saying this is that, IMO, if unbound is replaced with some > >> other > >> name server implementation the rc dependency chains should stay the same. > > > > I do not see anything in the base system that uses unbound or local_unbound > > service name, so this looks like it could be straightforward, though there > > may be some ports that have use of this token. > > > > For the blue bikeshed I find that "server" is just noise in the token > > and that "dns" already has "s" for system, so just "dns" is good with me :-) > > That's a good point. > I've just checked bind ports and they use PROVIDE: named > Not sure if "named" here is a bind specific name or a generic one. named is specifically the name of the binary included in the bind product, which included the resolver stub, named, and some other support utilities like rndc and nslookup. It would make since to unify these, though that is going to take some cafeful thought and co-ordination as to not break peoples running systems. I suspect the ports conflict stuff is keeping one from installing unbound, and bind at the same time, arguable wrong as one should be able to install both, but only run one at a time, or even run both on different ports. > -- > Andriy Gapon -- Rod Grimes rgri...@freebsd.org ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On 15/06/2020 15:57, Rodney W. Grimes wrote: >> >> I am configuring a small LAN -- mostly a gateway / router for it -- and I am >> using unbound for a local DNS and isc-dhcp44-server for DHCP. >> I have a few hosts with static IP addresses (for various reasons). >> So, in unbound.conf I have an entry like >> local-data: "hipster.home.arpa. IN A 192.168.0.222" >> and in dhcpd.conf have: >> host hipster { >> >> >> hardware ethernet 40:74:e0:xx:xx:xx; >> >> >> fixed-address hipster.home.arpa; >> >> >> } >> >> I am using a DNS name to avoid hardcoding the same IP address twice. >> But obviously this depends on the local DNS server starting before the HDCP >> server if they are on the same host / router. >> It seems that at the moment there is nothing to ensure that order. >> >> For the moment I modified rc.d/unbound to add this line: >> # BEFORE: dhcpd > >>From looking at /etc/rc.d/local_unbound we see: > # PROVIDE: local_unbound > # REQUIRE: FILESYSTEMS defaultroute netwait resolv > # BEFORE: NETWORKING > # KEYWORD: shutdown > > What makes it work for that case is the BEFORE: NETWORKING is that > line missing for the port version? Yes, it is: # PROVIDE: unbound # REQUIRE: SERVERS cleanvar # KEYWORD: shutdown If we add BEFORE: NETWORKING then REQUIRE will also have to be adjusted as it's impossible to be before NETWORKING and after SERVERS. >> I am not sure if this is the best solution and it's something that can be >> included into the port. > > I think that DNS needs to be started before more than just dhcpd, > so this is just 1 of many possible cases. This can also be issues > with almost any network stuff that wants to do stuff by DNS value, > including the networkself. DNS creates a chicken/egg problem in > that you may, or may not need the network to resolve names, I have > always hated that aspect of it. Modern tooling can help, you use > stuff to build your /etc/rc config files that can me run while the > network is up and functional so that this entering IP addresses in > N places is less painful. > > I seen no problem in adding a BEFORE: NETWORKING to the port, covering > a larger number of casses than your narrow BEFORE: dhcpd. I agree. I hope it doesn't break any currently working configurations too. >> On a related note, unbound rc script provides "unbound" service. >> I think that maybe it should provide something more generic such as >> "nameserver" >> or "dns-server" (not sure if there is an established name for that). >> The reason I am saying this is that, IMO, if unbound is replaced with some >> other >> name server implementation the rc dependency chains should stay the same. > > I do not see anything in the base system that uses unbound or local_unbound > service name, so this looks like it could be straightforward, though there > may be some ports that have use of this token. > > For the blue bikeshed I find that "server" is just noise in the token > and that "dns" already has "s" for system, so just "dns" is good with me :-) That's a good point. I've just checked bind ports and they use PROVIDE: named Not sure if "named" here is a bind specific name or a generic one. -- Andriy Gapon ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
> > I am configuring a small LAN -- mostly a gateway / router for it -- and I am > using unbound for a local DNS and isc-dhcp44-server for DHCP. > I have a few hosts with static IP addresses (for various reasons). > So, in unbound.conf I have an entry like > local-data: "hipster.home.arpa. IN A 192.168.0.222" > and in dhcpd.conf have: > host hipster { > > > hardware ethernet 40:74:e0:xx:xx:xx; > > > fixed-address hipster.home.arpa; > > > } > > I am using a DNS name to avoid hardcoding the same IP address twice. > But obviously this depends on the local DNS server starting before the HDCP > server if they are on the same host / router. > It seems that at the moment there is nothing to ensure that order. > > For the moment I modified rc.d/unbound to add this line: > # BEFORE: dhcpd >From looking at /etc/rc.d/local_unbound we see: # PROVIDE: local_unbound # REQUIRE: FILESYSTEMS defaultroute netwait resolv # BEFORE: NETWORKING # KEYWORD: shutdown What makes it work for that case is the BEFORE: NETWORKING is that line missing for the port version? > I am not sure if this is the best solution and it's something that can be > included into the port. I think that DNS needs to be started before more than just dhcpd, so this is just 1 of many possible cases. This can also be issues with almost any network stuff that wants to do stuff by DNS value, including the networkself. DNS creates a chicken/egg problem in that you may, or may not need the network to resolve names, I have always hated that aspect of it. Modern tooling can help, you use stuff to build your /etc/rc config files that can me run while the network is up and functional so that this entering IP addresses in N places is less painful. I seen no problem in adding a BEFORE: NETWORKING to the port, covering a larger number of casses than your narrow BEFORE: dhcpd. > > On a related note, unbound rc script provides "unbound" service. > I think that maybe it should provide something more generic such as > "nameserver" > or "dns-server" (not sure if there is an established name for that). > The reason I am saying this is that, IMO, if unbound is replaced with some > other > name server implementation the rc dependency chains should stay the same. I do not see anything in the base system that uses unbound or local_unbound service name, so this looks like it could be straightforward, though there may be some ports that have use of this token. For the blue bikeshed I find that "server" is just noise in the token and that "dns" already has "s" for system, so just "dns" is good with me :-) > Thanks! > -- > Andriy Gapon -- Rod Grimes rgri...@freebsd.org ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On 15/06/2020 14:48, Eugene Grosbein wrote: > 15.06.2020 13:10, Andriy Gapon wrote: > >> I am configuring a small LAN -- mostly a gateway / router for it -- and I am >> using unbound for a local DNS and isc-dhcp44-server for DHCP. >> I have a few hosts with static IP addresses (for various reasons). >> So, in unbound.conf I have an entry like >> local-data: "hipster.home.arpa. IN A 192.168.0.222" > > Consider using /etc/hosts in addition to DNS to solve chicken/egg problem. > > Having the same IP in more than one place (on the router) is the thing that I'd like to avoid in the first place. Otherwise, there is no problem putting it in hdcpd.conf. -- Andriy Gapon ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On Mon, Jun 15, 2020 at 09:10:18AM +0300, Andriy Gapon wrote: > > I am configuring a small LAN -- mostly a gateway / router for it -- and I am > using unbound for a local DNS and isc-dhcp44-server for DHCP. > I have a few hosts with static IP addresses (for various reasons). > So, in unbound.conf I have an entry like > local-data: "hipster.home.arpa. IN A 192.168.0.222" > and in dhcpd.conf have: > host hipster { > > > hardware ethernet 40:74:e0:xx:xx:xx; > > > fixed-address hipster.home.arpa; > > > } > > I am using a DNS name to avoid hardcoding the same IP address twice. > But obviously this depends on the local DNS server starting before the HDCP > server if they are on the same host / router. > It seems that at the moment there is nothing to ensure that order. > > For the moment I modified rc.d/unbound to add this line: > # BEFORE: dhcpd > I am not sure if this is the best solution and it's something that can be > included into the port. > > On a related note, unbound rc script provides "unbound" service. > I think that maybe it should provide something more generic such as > "nameserver" > or "dns-server" (not sure if there is an established name for that). > The reason I am saying this is that, IMO, if unbound is replaced with some > other > name server implementation the rc dependency chains should stay the same. > > Thanks! > -- > Andriy Gapon It might not be the exact answer you're looking for, but you might get some idea. I run isc-dhcpd inside CBSD jail and CBSD is started after local_unbound. For most of my needs, CBSD's b_order (short for boot order) works nicely, so if jail is an option for you, you might consider having services in jails and then use your jail manager (does jail.conf boots jails in order they appear in .conf file or is otherwise able to sort jail startups?) to force jail startup order. Regards, meka signature.asc Description: PGP signature
Re: unbound and (isc) dhcpd startup order
15.06.2020 13:10, Andriy Gapon wrote: > I am configuring a small LAN -- mostly a gateway / router for it -- and I am > using unbound for a local DNS and isc-dhcp44-server for DHCP. > I have a few hosts with static IP addresses (for various reasons). > So, in unbound.conf I have an entry like > local-data: "hipster.home.arpa. IN A 192.168.0.222" Consider using /etc/hosts in addition to DNS to solve chicken/egg problem. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: unbound and (isc) dhcpd startup order
On Mon, 15 Jun 2020 09:10:18 +0300 Andriy Gapon a...@freebsd.org said I am configuring a small LAN -- mostly a gateway / router for it -- and I am using unbound for a local DNS and isc-dhcp44-server for DHCP. I have a few hosts with static IP addresses (for various reasons). So, in unbound.conf I have an entry like local-data: "hipster.home.arpa. IN A 192.168.0.222" and in dhcpd.conf have: host hipster { hardware ethernet 40:74:e0:xx:xx:xx; fixed-address hipster.home.arpa; } I am using a DNS name to avoid hardcoding the same IP address twice. But obviously this depends on the local DNS server starting before the HDCP server if they are on the same host / router. It seems that at the moment there is nothing to ensure that order. Isn't there something like a "start late" available in rc.conf rc(8)? That would then permit starting your local unbound prior to DHCPD? Maybe that allow you to achieve your desired results? For the moment I modified rc.d/unbound to add this line: # BEFORE: dhcpd I am not sure if this is the best solution and it's something that can be included into the port. On a related note, unbound rc script provides "unbound" service. I think that maybe it should provide something more generic such as "nameserver" or "dns-server" (not sure if there is an established name for that). The reason I am saying this is that, IMO, if unbound is replaced with some other name server implementation the rc dependency chains should stay the same. Thanks! -- Andriy Gapon --Chris ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
unbound and (isc) dhcpd startup order
I am configuring a small LAN -- mostly a gateway / router for it -- and I am using unbound for a local DNS and isc-dhcp44-server for DHCP. I have a few hosts with static IP addresses (for various reasons). So, in unbound.conf I have an entry like local-data: "hipster.home.arpa. IN A 192.168.0.222" and in dhcpd.conf have: host hipster { hardware ethernet 40:74:e0:xx:xx:xx; fixed-address hipster.home.arpa; } I am using a DNS name to avoid hardcoding the same IP address twice. But obviously this depends on the local DNS server starting before the HDCP server if they are on the same host / router. It seems that at the moment there is nothing to ensure that order. For the moment I modified rc.d/unbound to add this line: # BEFORE: dhcpd I am not sure if this is the best solution and it's something that can be included into the port. On a related note, unbound rc script provides "unbound" service. I think that maybe it should provide something more generic such as "nameserver" or "dns-server" (not sure if there is an established name for that). The reason I am saying this is that, IMO, if unbound is replaced with some other name server implementation the rc dependency chains should stay the same. Thanks! -- Andriy Gapon ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"