[Unbound-users] unbound-control set_option domain-insecure: ?
wouter at nlnetlabs.nl
Wed Jun 27 14:34:45 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 06/27/2012 02:05 PM, Jarno Huuskonen wrote:
> I'm having some problems with (unbound 1.4.17): unbound-control
> set_option domain-insecure: arm.gov.
Yes set_option and get_option do not work with domain-insecure, like
it says on the man-page. The special code for the command stub_add,
that adds a domain-insecure works, so your workaround is fine.
The reason why it does not work, is that get_option and set_option are
basically using the same interface as 'libunbound' setoption and
getoption, however, the daemon is already running (unlike when the
functions are used with libunbound) and therefore it has already been
initialised. Options that are referenced at runtime work. Options
that are referenced by the initialisation code fail to work, because
the option value is changed but the code is not re-initialised when
you run unbound-control set_option.
> If I do: unbound-control reload unbound-control set_option
> domain-insecure: arm.gov.
> and then dig @127.0.0.1 ns arm.gov.
> I get validation errors (and the dig query fails with SERVFAIL):
> info: validation failure <arm.gov. NS IN>: no keys have a DS with
> algorithm RSASHA1-NSEC3-SHA1 from 188.8.131.52 for key arm.gov.
> while building chain of trust
> But if I put: domain-insecure: "arm.gov." into unbound.conf and do
> unbound-control reload and then try the query (dig @127.0.0.1 ns
> arm.gov.) it works just fine (w/out validation)
> Is there something obvious that I'm missing ? (man unbound-control
> set_option doesn't list domain-insecure as working ?)
> This "workaround" seems to work: unbound-control stub_add +i
> arm.gov. 127.0.0.1; unbound-control \ stub_remove arm.gov. (but
> unbound-control get_option domain-insecure doesn't show arm.gov.
> after this "workaround").
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users