Maintained by: NLnet Labs

unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Tomas Hozza
Wed Nov 4 16:49:08 CET 2015


On 04.11.2015 12:35, Phil Mayers via Unbound-users wrote:
> On 04/11/2015 00:32, Robert Edmonds via Unbound-users wrote:
> > Paul Wouters via Unbound-users wrote:
> >> FYI:
> >>
> >> rhbz#1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
> >>
> >> Paul
> >
> > Hi, Paul:
> >
> > I'm a bit confused.  unbound-anchor is an ordinary program that uses the
> > sockets API, so it should have no reason to read Linux kernel specific
> > sysctl's or change behavior based on their values, since sysctl's are
> > parameters for the kernel.
>
> Agreed. What's happening here is a user-space attempt to open an AF_INET6 socket is causing a modprobe, likely because the reporter has blocked the IPv6 kernel module from loading ("I don't trust IPv6").
>
> They erroneously believe the sysctl would stop this, when all it does is disable IPv6 on all interfaces - it's nothing to do with application behaviour or module loading control.
>
> If there's a bug anywhere here, it's in the SELinux policy blocking the module_request, but I doubt even that.
>
> Trying to force IPv6 to not load on a Linux system causes all sorts of subtle errors these days, and should not IMHO be a supported use-case.

Believe it or not, there are users who are doing it and think it is the right thing to do [1]. I think it is good that SELinux is not allowing the module to be loaded, because it is exactly what SELinux is for - another level of defense.

If you have some strong technical argument for this behavior I would be more than glad to hear it. The reason is that similar people will fight hard against having Unbound as the default DNS resolver in Fedora, which is our ultimate plan. Ability to spare hundreds of emails arguing with them would be great :)

Note that we have the same bug report for dnssec-trigger, too.

[1] https://lists.fedoraproject.org/pipermail/devel/2015-November/216417.html 

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc.                 http://cz.redhat.com