Maintained by: NLnet Labs

unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Tomas Hozza
Tue Nov 10 08:38:19 CET 2015

Hi Phil.

Sorry for the late response.

On 04.11.2015 17:35, Phil Mayers wrote:
> On 04/11/2015 15:49, Tomas Hozza wrote:
>> If you have some strong technical argument for this behavior I would
>> be more than glad to hear it. The reason is that similar people will
>> fight hard against having Unbound as the default DNS resolver in
>> Fedora, which is our ultimate plan. Ability to spare hundreds of
>> emails arguing with them would be great :)
> Which "behaviour"?
> I'm honestly confused. As far as I can tell, everything is working as designed here.

I meant the situation that the user disabled the IPv6, but Unbound as IPv6
aware application triggers a request to load the module through calling the 
standard syscall.

> The code tries to open an IPv6 socket, the kernel tries to load the module, SELinux denies and logs this. Each of these items is by design. Which are you suggesting should change?

I think it makes sense. I'm just not that familiar with how IPv6 works in kernel,
therefore I was trying to ask you for more information so I can possibly convince
the Fedora user that the Unbound's behavior is expected and correct.

> Is it the audit log that is annoying people? If so, the SELinux policy should be a dontaudit.

I think it is the fact that they disabled the IPv6, but some userspace component
is trying to load into kernel a module they they don't want to be loaded.

> Can we agree that unbound-anchor should not be reading sysctls to change it's behaviour?

Definitely. I really think Unbound should not read the file and just use standard syscall
and check for errors - as it already does.

Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

Red Hat Inc.