Pihole showing "BOGUS (DNSSEC signature expired)", reason for that maybe missing/incorrect TZ in unbound container? #363
Comments
|
The image is distroless, so I doubt the env var will do anything to set the timezone. You could try mounting Here is an example for New York timezone" |
I thought I was smart using that workaround, but it doesn't work I'm afraid 😸 It seemed to go away after restarting the stack but nop. Edit: smol tip but you can simply pass /etc/localtime:/etc/localtime:ro instead of picking a TZ, that's one less thing to care about and if it's ever added to an example yaml, it's "generic". |
|
@klutchell sorry to ping, any reason you're using Cheers. |
This config is often used in unbound use cases (I might even have been the one suggesting to use it, together with some other tweaks) as it indeed optimises speed. This being said, I also use this container and pi-hole and have not seen this issue, so I would advise refraining from n=1 based decision making. This setting has been used for months if not years in klutchells repository and would have had more issues reported, as would have been the case with the developers of unbound (NLnetLabs)... Could it be linked to this specific case : NLnetLabs/unbound#994 |
|
"serve-expired-client-timeout" isn't set in klutchell's config, could be, could be not 🤷 . My initial question about I've started using this container as my previous solution was unmaintained and a couple CVEs popped up in dnsmasq/pihole, have had this issue happen sporadically, just enough that after a couple cheap tricks to fix it, I searched "bogus" in the issue tracker, just to see if I was the only one :) There has to be something wrong somewhere and the laziest solutions are the easiest to find, I found this issue and started looking at unbound config, saw an unusual unbound setting comparing to other pihole+unbound setup, figured I'd mention it, that's all ;) |
|
Coming back to my initial issue: IF my problem is related to TZ issues, wouldn't it be possible to implement TZ into the image? I'm not quite familiar with the meaning of "distroless", but I have seen other unbound repos on Github which are (as they say...) also distroless, but do use TZ env variable. |
|
Kluchell's answer should be all you need to test the timezone theory, the container doesn't need tzdata if your mount the correct volume(s) from a configured host : /etc/timezone is superfluous but better safe than sorry, alas it doesn't fix the issue (for me, ymmv). (Is this container really distroless? Dockerfile points to an alpine base) Turning serve-expired off in custom.conf.d/ seems to work around the BOGUS (DNSSEC signature expired) errors, so it could be that churchofnoise is right about the unbound issue linked. |
|
I'll try, thanks. But as you said in response of my initial post, this workaround hasn't worked for you, so I was sceptical. But maybe, also as you said, we are on the wrong highway and the BOGUS problem isn't related to TZ at all, but to the serve-expired variable instead. |
alpine is only used for the build stage, the final stage is from scratch |
Hey,
I am using this container in combination with a separate pihole container (both in a macvlan running on a Synology NAS docker environment) with DNSSEC activated.
That said, I am getting "BOGUS (DNSSEC signature expired)" errors from time to time in the pi hole logs. Only occasionally and also, for whatever reason, after some retries, it is working again.
For example, this happened this morning when I wanted to check updates within my Synology NAS and the NAS contacted www.synology.com for that.
Digging a little deeper into this, I found out that DNSSEC relies on a working and correct timezone. And your docker container (I am using a yaml file) doesn't specify any TZ variable.
Can I simply add the correct TZ variable in my yaml file or does your container ignore this variable, hence has to be updated first to take this into account?
KR,
Stefan
The text was updated successfully, but these errors were encountered: