Maintained by: NLnet Labs

[Unbound-users] problem with forward zone?

W.C.A. Wijngaards
Wed Jan 22 11:08:54 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Casey,

On 01/22/2014 10:18 AM, Casey Stone wrote:
> I previously posted about Unbound seemingly not observing the
> forward-zone settings in my setup (unbound version 1.4.19 on Ubuntu
> 13.04 server). My reason for using the forward-zone directive in
> unbound.conf is to forward all requests through dnscrypt-proxy
> running on the localhost:
> 
> forward-zone: name: "." forward-addr: 127.0.0.2
> 
> I received no feedback from this list so I also posted on
> dnscrypt-proxy github page (
> https://github.com/jedisct1/dnscrypt-proxy/issues/19 ) where
> thankfully a fellow affected individual, Simon, posted his
> solution.
> 
> This could be a BUG in UNBOUND ... the solution is unbound.conf
> MUST explicitly turn off remote control (neither of us was using
> remote control):
> 
> remote-control: control-enable: no
> 
> Simply not including control-enable in the unbound.conf is not
> sufficient. More documentation/discussion of the issue, setup, and
> solution is available on the above mentioned github page.

Thanks for sharing this back here.  I see in the logfiles on the
github page that:

Sep 17 04:28:06 unbound[10138:0] debug: new control connection from
ip4 127.0.0.1 port 50815 (len 16)
Sep 17 04:28:06 unbound[10138:0] debug: comm point stop listening 12
Sep 17 04:28:06 unbound[10138:0] debug: comm point start listening 12
Sep 17 04:28:06 unbound[10138:0] debug: remote control connection
authenticated
Sep 17 04:28:06 unbound[10138:0] info: control cmd:  forward off

It seems something else is running and calling "unbound-control
forward off".  This would disable your configured forward-zone
statement at run time.  Setting control-enable: no causes this
unbound-control sequence to be ignored (because you disallow
remote-control in unbound.conf).

(are you running dnssec-trigger?  Uninstall it because you want to
manually configure where queries go)

So, it is not so much a bug in control-enable, there is some program
on the machine that calls unbound-control forward off and that is the
'root cause'.  Or at least, a step close to a root cause for not
having the unbound configuration you want.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS35i2AAoJEJ9vHC1+BF+NiE8P/RHC3572NnLS8/BZ/F31Jfle
JWoAj/Jjy1mwkYesU4RARF62099+OtatBhwU7irGXdc0ROllcE6zCc6M1z4+Buku
Run/9ez/9cs5/CACo7UkXTlND8u0BvG0vNcd8HBqn7E7YEZDe/l3jecxPauzdFwK
Elnlkcm0t2lK1AFO2RrjbPzFEnut9sP5HggMCpBKdpEHOZeW/DiW6E1oTjuIZnMW
BiIzuMQ8f3Sc3ARkvqFLalsSeyUGzq2co+TdH/F36l2U14M6JeNeMX1TkESjZnqo
/7LTwD1DJIBbCW7D7YIfSEoe++b+eCMqR9BKb4Fr2NhY9nEYlGKVodhJU1fIhK7m
Wvm/EGe3fQXwDIOOJTT5l90F+0Mt+mGyuRBsPtKZPRvcWVFbBgvuCj0K+/RJgg9j
EcN7BW6NsNJ7kBRZd0rTVIZIvzQoCbqlR86qWSuxBdWvzfwFds4Sgaa9QsCxDra0
x6Z3yFubBOwftgV5vBCbFlm8dO5LPTzh0z9xGCs1KeE2GEpEKW9lywzVagUHfX7z
3jtTqFZ8NcrCOKE8GmQkuueycfOkwD50i1BIJCvYK+KeWs+u0ly2BGkfOmLedY4q
FF0rFOtGBaBLvYPt0dDFMQY/b4913XWY086PYg/GjL59oIyo8ApnnApzR8Tsi3vg
U+IjDPyJgu57FNV/hHy5
=g5td
-----END PGP SIGNATURE-----