The Unbound service is a validating, recursive, and caching DNS resolver that can be used to configure the DNS service for Elastic Compute Service (ECS) instances. This topic describes the cause of and solution to the issue that the Unbound service fails to be started on an ECS instance that runs the Alibaba Cloud Linux 3 operating system.
Problem description
The Unbound service fails to be started after the unbound-1.7.3 or unbound-1.16.2 package is installed on an ECS instance that runs the Alibaba Cloud Linux 3 operating system.
The following error message is returned:
# sudo systemctl start unbound
Job for unbound.service failed because a timeout was exceeded.
See "systemctl status unbound.service" and "journalctl -xe" for details.Cause
The ExecStartPre directive is changed in the unbound-1.7.3 and unbound-1.16.2 versions of the Unbound service. The DISABLE_UNBOUND_ANCHOR variable is added to specify whether to run the unbound-anchor command. In this command, the -f /etc/resolv.conf -R parameter can be used to specify or update the root trust anchor on the root server for Domain Name System Security Extensions (DNSSEC) validation. In an environment without Internet connectivity, access to the root server is denied after the unbound-anchor command is run. As a result, the instance fails to query the root trust anchor and start the Unbound service.
Solution
In an environment without Internet connectivity, set the DISABLE_UNBOUND_ANCHOR environment variable to yes to disable the unbound-anchor command from being run. This prevents access to the root server and ensures that the Unbound service can be started as expected.
Open the
/etc/sysconfig/unboundfile.sudo vim /etc/sysconfig/unboundPress the
Ikey to enter Insert mode and add the following content to the file:DISABLE_UNBOUND_ANCHOR=yesPress the
Esckey, enter:wq, and then press theEnterkey to save and close the configuration file.Start the
Unboundservice.sudo systemctl start unbound
References
For more information about the unbound-anchor command, see Unbound.