Maintained by: NLnet Labs

[Unbound-users] unbound-host bug parsing commandline

W.C.A. Wijngaards
Fri Oct 2 10:08:00 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

Fixed in svn r1856.

Thanks for the bugreport.

On 09/29/2009 12:09 AM, Paul Wouters wrote:
> There is a difference between:
>     unbound-host -d -d -d -C /etc/unbound/unbound.conf
> This is not at all obvious. I suggest that specifying -d -d -d should
> override the verbosity: setting from the conf file, irrespective of
> the order of the arguments.
> 
> I think I also got bitten by a changed default, where unbound no longer
> reads the /etc/unbound/unbound.conf. That makes the unbound command kind
> of hard to use. Why would someone use unbound-host without specifying
> any conf file (and therefor any key) ?

unbound-host never read the default config file.

unbound-host performs the whole recursive lookup (so, not like dig), and
can do the whole validation as well.  Like you had a copy of the unbound
daemon inside it (which is how it works).  So making that work on its
own is useful, because it is likely to work when your daemon (-s config
file) is broken.

But those were my assumptions.  Other stuff could be more useful.

With the root getting signed, some way for unbound-host to find
a root key is useful.  /etc/dnssec.root.key?  /etc/dnssec.conf?
Should there be the same file for all validators on the machine?  The
file format is likely an issue - as we already have different file
formats for:
* unbound 'plain zone format DS or DNSKEYs with ;comments allowed'
* autotrust or unbound 'rfc5011 state' files, like the above with
special ;comments.  Slight difference between autotrust-original and the
unbound-imported, but compatible enough to switch from one to the other
(don't let them both fight over the same file at the same time).
* bind-style trusted-key{} clauses
* ... however the ISC folk go and store the 5011 state
* dig-sigchase-style 'single line with one DNSKEY only'

Otherwise, compiling the root key into unbound-host is an option.
Much like it uses compile-time root-hints (and nobody complains
about that) as default.  To do that, you would need that trust-history
draft I keep pushing into the IETF (or some other solution) ...

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkrFtOAACgkQkDLqNwOhpPhxJwCeNRw6kiA7D2cJDWiFG10EpDDH
INYAniRHS7rXfaAzOExrDkfbW27Fir/O
=G2iu
-----END PGP SIGNATURE-----