[Unbound-users] unbound-host bug parsing commandline
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Fri Oct 2 08:08:00 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Paul,
Fixed in svn r1856.
Thanks for the bugreport.
On 09/29/2009 12:09 AM, Paul Wouters wrote:
> There is a difference between:
> unbound-host -d -d -d -C /etc/unbound/unbound.conf
> This is not at all obvious. I suggest that specifying -d -d -d should
> override the verbosity: setting from the conf file, irrespective of
> the order of the arguments.
>
> I think I also got bitten by a changed default, where unbound no longer
> reads the /etc/unbound/unbound.conf. That makes the unbound command kind
> of hard to use. Why would someone use unbound-host without specifying
> any conf file (and therefor any key) ?
unbound-host never read the default config file.
unbound-host performs the whole recursive lookup (so, not like dig), and
can do the whole validation as well. Like you had a copy of the unbound
daemon inside it (which is how it works). So making that work on its
own is useful, because it is likely to work when your daemon (-s config
file) is broken.
But those were my assumptions. Other stuff could be more useful.
With the root getting signed, some way for unbound-host to find
a root key is useful. /etc/dnssec.root.key? /etc/dnssec.conf?
Should there be the same file for all validators on the machine? The
file format is likely an issue - as we already have different file
formats for:
* unbound 'plain zone format DS or DNSKEYs with ;comments allowed'
* autotrust or unbound 'rfc5011 state' files, like the above with
special ;comments. Slight difference between autotrust-original and the
unbound-imported, but compatible enough to switch from one to the other
(don't let them both fight over the same file at the same time).
* bind-style trusted-key{} clauses
* ... however the ISC folk go and store the 5011 state
* dig-sigchase-style 'single line with one DNSKEY only'
Otherwise, compiling the root key into unbound-host is an option.
Much like it uses compile-time root-hints (and nobody complains
about that) as default. To do that, you would need that trust-history
draft I keep pushing into the IETF (or some other solution) ...
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkrFtOAACgkQkDLqNwOhpPhxJwCeNRw6kiA7D2cJDWiFG10EpDDH
INYAniRHS7rXfaAzOExrDkfbW27Fir/O
=G2iu
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list