Maintained by: NLnet Labs

[Unbound-users] unbound-control set_option domain-insecure: ?

W.C.A. Wijngaards
Wed Jun 27 16:34:45 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jarno,

On 06/27/2012 02:05 PM, Jarno Huuskonen wrote:
> Hi,
> 
> I'm having some problems with (unbound 1.4.17): unbound-control
> set_option domain-insecure: arm.gov.

Yes set_option and get_option do not work with domain-insecure, like
it says on the man-page.  The special code for the command stub_add,
that adds a domain-insecure works, so your workaround is fine.

The reason why it does not work, is that get_option and set_option are
basically using the same interface as 'libunbound' setoption and
getoption, however, the daemon is already running (unlike when the
functions are used with libunbound) and therefore it has already been
initialised.  Options that are referenced at runtime work.  Options
that are referenced by the initialisation code fail to work, because
the option value is changed but the code is not re-initialised when
you run unbound-control set_option.

Best regards,
   Wouter

> If I do: unbound-control reload unbound-control set_option
> domain-insecure: arm.gov.
> 
> and then dig @127.0.0.1 ns arm.gov.
> 
> I get validation errors (and the dig query fails with SERVFAIL): 
> info: validation failure <arm.gov. NS IN>: no keys have a DS with
> algorithm RSASHA1-NSEC3-SHA1 from 192.101.109.47 for key arm.gov.
> while building chain of trust
> 
> But if I put: domain-insecure: "arm.gov." into unbound.conf and do
> unbound-control reload and then try the query (dig @127.0.0.1 ns
> arm.gov.) it works just fine (w/out validation)
> 
> Is there something obvious that I'm missing ? (man unbound-control
> set_option doesn't list domain-insecure as working ?)
> 
> This "workaround" seems to work: unbound-control stub_add +i
> arm.gov. 127.0.0.1; unbound-control \ stub_remove arm.gov. (but
> unbound-control get_option domain-insecure doesn't show arm.gov. 
> after this "workaround").
> 
> -Jarno
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP6xoFAAoJEJ9vHC1+BF+NiVoP/2E+lYwNrIzxFN2QH5vlfKJA
tpHXF0AIO2nm4CYdpoxvZyTfZ4BWpFOj5EHzg6AnZcg3gDpr1Xl0PmbD3W4xAgrR
hLa1rNPe9y/UxaidNl/8BTj6RAuIiUwdjZsvzH2cuitt2RvUuUKQtbxSvmGX3/QR
CrGBDZ2iUfdW2wAa9jDIGhnYumE10ykY0kscnQnjD3WIYacm2hZVY80tIsEt3TcX
9lOUGWSBVMa8wrOP2aYtL7mU0EAvBOEDM9ApBGwSUCU3wPhHrXLzL8FHBC5gb6ge
dyedZ13n2Hz0MAKm0lc6VJ0HAbR1hA2FMqahALiCy39B/WSbSqowfaeZeyLJf2yJ
RJkdjzcZH086CGs2YLMAuwyQFnoT5iH2ZAQIEX31GpbJnxRuqQZEplLSkdTzwhU0
lZOSXfINBonpx4DvdLlSfbZNjOrZu9STYx+DP2907VrtK4pw7+oC2w+GwMm1GGoI
KrpLCUAIBXBT6BeY4Dp3fLgobPy9YAPzdiyKyLKiODfuoMcJlsX9cV5SiVmgtK9I
KTcUAcGGqgaIevtlSQAyNiNpDSKDOS92tkeoC3uOw1/AaWZBoZqW4VXm6KQT1vj0
9Di1p1d3QBuGXr75umqSDYTCzbRg6FQ+PulvegHQ94thjhr5WW3fOdfP35m4Bmin
Th14UsEwkhvrwSHjD+ht
=IBuf
-----END PGP SIGNATURE-----