Unbound does not generate root.key on boot → DNSSEC does not work

[newtonglez]

I expected ddnsec to work from the moment the container was created.

The root.key file wasn't generated, so ddnsec didn't work.

I got it working as follows:

*Create unbound.log
*Create a directory to hold root.key
*Create root.key

podman exec pihole sh -c 'touch /var/log/unbound/unbound.log; mkdir -p /var/lib/unbound; unbound-anchor -a "/var/lib/unbound/root.key"

*Add the line to pi-hole.conf to use root.key

podman exec pihole sh -c 'echo " trust-anchor-file: "/var/lib/unbound/root.key"" >> /etc/unbound/unbound.conf.d/pi-hole.conf'

*Add crontab settings to update root.key periodically
podman exec -it pihole bash
crontab -e

#add these lines:
00 00 1 * * unbound-anchor -a "/var/lib/unbound/root.key" >> /var/log/unbound/anchor.log 2>&1
01 00 1 * * grep '^.\s' /var/lib/unbound/root.key | wc -l >> /var/log/unbound/anchor.log
02 00 1 * * pgrep unbound && pkill -HUP unbound

*Restart the container

And now ddnsec is working (192.168.1.65 is my pihole)

dig dnssec-failed.org @192.168.1.65

; <<>> DiG 9.20.15-2-Debian <<>> dnssec-failed.org @192.168.1.65

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8078

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec-failed.org. IN A

;; Query time: 760 msec
;; SERVER: 192.168.1.65#53(192.168.1.65) (UDP)
;; WHEN: Mon Nov 17 00:42:00 MST 2025
;; MSG SIZE rcvd: 46

There are a few changes, I hope you consider incorporating them into your image

[FlavioB79]

Hi
I followed your instructions but DNSSEC is still failing:

pihole-unbound:/# dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.20.15 <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64477
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.		IN	A

;; ANSWER SECTION:
fail01.dnssec.works.	3600	IN	A	5.45.109.212

;; Query time: 142 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Nov 24 18:32:50 UTC 2025
;; MSG SIZE  rcvd: 64

Can you help?

[newtonglez]

Hi:

I Hope this can help you, this works for me flawless

I create the container in this way 192.168.1.65 is the ip of host where is created the container and 192.168.1.254 is the ip of my router

you can make the changes that for your case.

you must be in the folder created for pihole

mkdir -p ./{etc_pihole-unbound,etc_pihole_dnsmasq-unbound}

podman run -d --restart=always
--name pihole
--hostname pihole
--restart=unless-stopped
-p 192.168.1.65:53:53/udp
-p 192.168.1.65:53:53/tcp
-p 192.168.1.65:8000:80/tcp
-e FTLCONF_LOCAL_IPV4=192.168.1.65
-e TZ=America/Mazatlan
-e WEBPASSWORD=admin
-e WEBTHEME=default-dark
-e REV_SERVER=true
-e REV_SERVER_TARGET=192.168.1.254
-e REV_SERVER_DOMAIN=local
-e REV_SERVER_CIDR=192.168.1.0/24
-e PIHOLE_DNS_=127.0.0.1#5335
-e DNSSEC=true
-e DNSMASQ_LISTENING=single
-v ./etc_pihole-unbound:/etc/pihole:Z
-v ./etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:Z
docker.io/mpgirro/pihole-unbound

podman exec pihole sh -c 'mkdir /var/lib/unbound; touch /var/log/unbound/unbound.log; mkdir -p /var/lib/unbound; unbound-anchor -a "/var/lib/unbound/root.key"'

podman exec pihole sh -c 'echo " trust-anchor-file: "/var/lib/unbound/root.key"" >> /etc/unbound/unbound.conf.d/pi-hole.conf'

podman exec -it pihole bash

crontab -e

add this to the crontab
00 00 1 * * unbound-anchor -a "/var/lib/unbound/root.key" >> /var/log/unbound/anchor.log 2>&1
01 00 1 * * grep '^.\s' /var/lib/unbound/root.key | wc -l >> /var/log/unbound/anchor.log
02 00 1 * * pgrep unbound && pkill -HUP unbound

exit from your container and run dig for testing

dig dnssec-failed.org @192.168.1.65

; <<>> DiG 9.20.15-2-Debian <<>> dnssec-failed.org @192.168.1.65
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17588
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec-failed.org. IN A

;; Query time: 784 msec
;; SERVER: 192.168.1.65#53(192.168.1.65) (UDP)
;; WHEN: Mon Nov 24 12:02:14 MST 2025
;; MSG SIZE rcvd: 46

[FlavioB79]

Sorry, maybe I missed to add some details.
I've just downloaded the image for this docker on my Synology NAS, started it and set only the HTTPS management port be mapped to 9443. Everything is running on my NAS, so just 1 IP address.
I think what you're suggesting is a bit too deep for me... it looks like I have to reconfigure my docker, then recreate it?!

[newtonglez]

i dont have a synology NAS, i dont know if there u are able to run commands like this:

podman exec -it pihole bash

if you arent able i dont know how you can insert the little changes that need, i'm running podman in a minipc with debian, so i can launch these commands from my ssh session.

[FlavioB79]

Yes I can use "docker exec -it pihole-unbound bash".

But I haven't created a folder for pihole as you mentioned earlier.

Running
mkdir -p ./{etc_pihole-unbound,etc_pihole_dnsmasq-unbound}
creates 2 folders in addition to /etc -->

pihole-unbound:/# ls -la | grep etc
drwxr-xr-x 1 root root 978 Nov 20 21:13 etc
drwxr-xr-x 1 root root 0 Nov 24 22:36 etc_pihole-unbound
drwxr-xr-x 1 root root 0 Nov 24 22:36 etc_pihole_dnsmasq-unbound

Doesn't look neat to me - or maybe I don't understand the use of _ instead of creating folders and subfolders.

In fact, I already have

/etc/pihole
/etc/unbound
/etc/unbound/unbound.conf.d

[newtonglez]

maybe you dont need create explicity these folders, but you must have defined these 2 volumes

once that you recreate your image with these volumes then run the instruccions below, and forget the folders that i create, you be sure that you have volumes pointing to

/etc/pihole
/etc/dnsmasq.d

if you already have that, then start the instructions from here

docker exec pihole sh -c 'mkdir /var/lib/unbound; touch /var/log/unbound/unbound.log; mkdir -p /var/lib/unbound; unbound-anchor -a "/var/lib/unbound/root.key"'

docker exec -it pihole bash

crontab -e

add this to the crontab
00 00 1 * * unbound-anchor -a "/var/lib/unbound/root.key" >> /var/log/unbound/anchor.log 2>&1
01 00 1 * * grep '^.\s' /var/lib/unbound/root.key | wc -l >> /var/log/unbound/anchor.log
02 00 1 * * pgrep unbound && pkill -HUP unbound

exit from your bash and run dig for testing from other machine

dig dnssec-failed.org @IpOfYourNas

[FlavioB79]

Thanks @newtonglez but for the time being I'm giving up on this docker and will look into running pihole/pihole and a separate unbound docker.