After installing Unbound in a OpenWrt router, I noticed that afer a reboot, the DNS was not working. I saw many of these errors in the log:
failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
I have discovered that the system date was wrong. As this device lacks a hardware clock, when the machine boots, it cannot synchronize the time by NTP because there is no resolver (Unbound doesn’t start because the date validation of the ICANN certificate fails). It’s a chicken or the egg problem.
To solve this, I added in
/etc/rc.local a manual synchronization against a IP of a NTP server:
/usr/sbin/ntpd -n -q -N -p 220.127.116.11
Another possible solution would be to hardcode the IP of some of your configured NTP servers in