Bug 248828 - dns/unbound 1.11.0 with option dnstap socket error
Summary: dns/unbound 1.11.0 with option dnstap socket error
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-22 10:43 UTC by p5B2E9A8F
Modified: 2020-10-13 21:27 UTC (History)
2 users (show)

See Also:
jaap: maintainer-feedback+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description p5B2E9A8F 2020-08-22 10:43:38 UTC
from logfile:
Aug 22 11:20:10 unbound[74860:0] notice: Restart of unbound 1.11.0.
Aug 22 11:20:10 unbound[74860:0] notice: init module 0: validator
Aug 22 11:20:10 unbound[74860:0] notice: init module 1: iterator
Aug 22 11:20:10 unbound[74860:0] notice: attempting to connect to dnstap socket /usr/local/etc/unbound/dnstap.sock
Aug 22 11:20:10 unbound[74860:0] warning: could not open dnstap-socket-path: /usr/local/etc/unbound/dnstap.sock, No such file 
or directory
Aug 22 11:20:10 unbound[74860:0] notice: dnstap Message/RESOLVER_QUERY enabled
Aug 22 11:20:10 unbound[74860:0] notice: dnstap Message/RESOLVER_RESPONSE enabled
Aug 22 11:20:10 unbound[74860:0] notice: dnstap Message/CLIENT_QUERY enabled
Aug 22 11:20:10 unbound[74860:0] notice: dnstap Message/CLIENT_RESPONSE enabled
Aug 22 11:20:10 unbound[74860:0] notice: dnstap Message/FORWARDER_QUERY enabled
Aug 22 11:20:10 unbound[74860:0] notice: dnstap Message/FORWARDER_RESPONSE enabled
Aug 22 11:20:10 unbound[74860:0] info: start of service (unbound 1.11.0).
Aug 22 11:20:10 unbound[74860:5] error: dnstap io: failed to connect to "/usr/local/etc/unbound/dnstap.sock": No such file or directory
Aug 22 11:20:10 unbound[74860:5] error: dnstap io: failed to connect to "/usr/local/etc/unbound/dnstap.sock": No such file or directory
Aug 22 11:20:10 unbound[74860:5] error: dnstap io: failed to connect to "/usr/local/etc/unbound/dnstap.sock": No such file or directory
Aug 22 11:20:10 unbound[74860:5] error: dnstap io: failed to connect to "/usr/local/etc/unbound/dnstap.sock": No such file or directory
...
error is repeated every second for ever
Comment 1 Jaap Akkerhuis 2020-08-24 13:29:49 UTC
(In reply to p5B2E9A8F from comment #0)

There is a bug that the chroot path and/or the working directory is not taken into account and that interferes with the dnstap-socket-path.

So, if unbound is doing a chroot (default) leave of the the default path (as specified by the chroot: directive) the work around is to remove the chroot path from the dnstap-socket-path: 

The bug will be fixed in the next release and there will also a fix to stop unbound from spamming the logfile.

        jaap
Comment 2 p5B2E9A8F 2020-08-25 19:28:12 UTC
(In reply to Jaap Akkerhuis from comment #1)
I tried work around with having this in unbound.conf:
        chroot: /usr/local/etc/unbound

and changed
        dnstap-socket-path: "/usr/local/etc/unbound/dnstap.sock"

to 
        dnstap-socket-path: "dnstap.sock"

but get still error
error: dnstap io: failed to connect to "dnstap.sock": No such file or directory
Comment 3 Jaap Akkerhuis 2020-08-25 20:44:20 UTC
(In reply to p5B2E9A8F from comment #2)
Unbound won't create the socket, it only wants to (re-)connect with an existing one off which there is a program listening. The canonical example is discussed at <https://dnstap.info/Examples/>.

Alternatively, you could also use the test tool which is hidden in the unbound release. Go to ../unbound/work/unbouns-1.11.0. Create the test tool (make unbound-dnstap-socket). ./unbound-dnstap-socket -h tells you how to use it:

./unbound-dnstap-socket -h
usage: unbound-dnstap-socket [options]
 	Listen to dnstap messages
stdout has dnstap log, stderr has verbose server log
-u <socketpath> listen to unix socket with this file name
-s <serverip[@port]> listen for TCP on the IP and port
-t <serverip[@port]> listen for TLS on IP and port
-x <server.key> server key file for TLS service
-y <server.pem> server cert file for TLS service
-z <verify.pem> cert file to verify client connections
-l 		long format for DNS printout
-v 		more verbose log output
-h 		this help text

Note that this is just a testing tool, it is not meant for daily use.

        jaap

BTW, don't forget to make sure that unbound can read/write to the socket.
Comment 4 p5B2E9A8F 2020-10-12 15:55:40 UTC
Fixed in Unbound version 1.12.0
Comment 5 p5B2E9A8F 2020-10-13 21:27:16 UTC
Unfortunately the bug seems not to be fixed.
What has been fixed is that the logfile gets no more spammed.

A UNIX socket created /usr/local/etc/unbound/dnstap.sock is not recognized.
The logfile lines are exactly the same except the version is now 1.12.0