Unbound log show failure "DietPi package-helper[526]: fail: the anchor is NOT ok and could not be fixed"

I have default dietpi installation for pihole & unbound. when i check unbound log with “journalctl -u unbound” it show me the failure of “DietPi package-helper[526]: fail: the anchor is NOT ok and could not be fixed” any body having any idea about this error & what is the solution for this & what is the bad effect of this.

root@DietPi:~# journalctl -u unbound -- Logs begin at Wed 2021-01-13 11:56:30 MST, end at Sun 2021-01-17 14:31:45 MST. -- Jan 13 11:56:31 DietPi systemd[1]: Starting Unbound DNS server... Jan 13 11:56:31 DietPi package-helper[526]: /var/lib/unbound/root.key has content Jan 13 11:56:31 DietPi package-helper[526]: fail: the anchor is NOT ok and could not be fixed Jan 13 11:56:31 DietPi unbound[547]: [1610564191] unbound[547:0] info: start of service (unbound 1.9.0). Jan 13 11:56:31 DietPi systemd[1]: Started Unbound DNS server

also i have plex installed on same device. i want to add {private-domain: “plex.direct” } in “/etc/unbound/unbound.conf.d/pi-hole.conf” is it allowed in dietpi default installation to edit this file or not? as in past in Ubantu installation i have added this line in unbound configuration. is this thing required in dietpi installation or Not?


many thanks for your message. I searched the web and found something fitting your issue. https://www.mail-archive.com/unbound-users@lists.nlnetlabs.nl/msg00442.html

Can you check if restarting the service will remove the anchor error message.

systemctl restart unbound
systemctl status unbound

Btw can you post cat /etc/resolv.conf

Thanks Joulinar,
After restarting a unbound that error gone & i got correct log
Jan 17 15:10:22 DietPi package-helper[11221]: /var/lib/unbound/root.key has content Jan 17 15:10:22 DietPi package-helper[11221]: success: the anchor is ok

the result of your recommended command is
root@DietPi:~# cat /etc/resolv.conf

I think this dns server come from dietpi-config. i am using cloudflare for this(as mentioned in guideline to put external ip there).
please tell me in my dietpi-config i have to use my gateway/router ip ( or cloudflare ip address. this time pihole machine( not using itself for dns resolve. in dietpi query pihole machine only resolve PTR queries for itself. in my router where is dns server address written i have option to add secondary dns also ( this time in router it is written primary & secondary what you suggest in dietpi-config i have to write existing DNS ( & or (only . with second approach pi hole try to resolve dns from gateway/router & router forward to pi-hole. in event of failure of pi hole router start using secondary dns automatically as primary dns server fail

ok resolv.conf is fine. Nothing to change on this. Looks like unbound is starting to early. That’s why anchor is not able to complete during boot but is running successful on manual restart. Let’s try following

nano /lib/systemd/system/unbound.service

now add dietpi-boot.service to the line After=network.target. It should looks like this now

After=network.target dietpi-boot.service

save the file and do

systemctl daemon-reload

once system is back, check status of the service

systemctl status unbound

Thanks Joulinar,
i implement your guidelines & restart the system & after that unbound failure gone, everything normal now.

what you suggest about plex.direct queries to unbound by localhost with plex installation
{private-domain: “plex.direct” } in “/etc/unbound/unbound.conf.d/pi-hole.conf”

as my nuc machine not resolving dns for itself so even if we write "private-domain: “plex.direct” in “/etc/unbound/unbound.conf.d/pi-hole.conf” it will not useful as localhost not using it. so it means for plex local files try to resolve it ip through cloudflare service. any thing i can do to eliminate this and facilitate local machine to resolve local data by itself.

better to create your own plex.conf inside /etc/unbound/unbound.conf.d. This way you can avoid your config get overwritten if pi-hole.conf will be removed/updated or what ever :slight_smile: Because on next DietPi version 6.35, pi-hole.conf is gone, at least on new installations. There we will have dietpi.conf only

So i have to open this folder. which having these files present time

root@DietPi:/etc/unbound/unbound.conf.d# dir
dietpi.conf qname-minimisation.conf
dietpi-pihole.conf root-auto-trust-anchor-file.conf

in this folder i have to create new file “sudo nano plex.conf” & write these two lines & save it

private-domain: “plex.direct”
and reboot system
any other thing you recommend to do from my end?

don’t think server is needed. Just add the private-domain and give it a try. Service restart should be fine but server reboot is ok as well

Thanks Joulinar, everything solved please closed this thread. i try to do from my end but not able to see any option to close thread from user side.

can you share your final solution for Plex pls. Might be other user are interested as well

Creating a separate file plex.conf in dir & restarting unbound fixed the issue.

root@DietPi:/etc/unbound/unbound.conf.d# pwd

root@DietPi:/etc/unbound/unbound.conf.d# ls
dietpi.conf  pi-hole.conf  plex.conf  qname-minimisation.conf  root-auto-trust-anchor-file.conf

root@DietPi:/etc/unbound/unbound.conf.d# cat plex.conf

    # MY customizations

    # Allow Plex Media Server
    private-domain: plex.direct