Unbound-users Digest, Vol 2, Issue 18
SIMON BABY
simonkbaby at gmail.com
Thu Feb 13 19:15:05 UTC 2020
Hi,
I am getting the below error while trying to run unbound on my machine. I
am using unbound-1.9.6. Can someone please help.
root at ubuntu:~# which unbound
/usr/local/sbin/unbound
root at ubuntu:~# unbound -c /usr/local/etc/unbound/unbound.conf
*[1581621083] unbound[22619:0] fatal error: user 'unbound' does not exist.*
root at ubuntu:~# unbound -c /usr/local/etc/unbound/unbound.conf
rgds
Simon
On Thu, Feb 13, 2020 at 6:08 AM <unbound-users-request at lists.nlnetlabs.nl>
wrote:
> Send Unbound-users mailing list submissions to
> unbound-users at lists.nlnetlabs.nl
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
> or, via email, send a message with subject or body 'help' to
> unbound-users-request at lists.nlnetlabs.nl
>
> You can reach the person managing the list at
> unbound-users-owner at lists.nlnetlabs.nl
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Unbound-users digest..."
>
>
> Today's Topics:
>
> 1. Unbound 1.10.0rc1 pre-release (Wouter Wijngaards)
> 2. Re: retrieve TLSA record also if it is not secured by DNSSEC
> (Elmar Stellnberger)
> 3. Re: retrieve TLSA record also if it is not secured by DNSSEC
> (Elmar Stellnberger)
> 4. Re: dns over tls with unbound on openwrt (Tony Finch)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 13 Feb 2020 13:41:53 +0100
> From: Wouter Wijngaards <wouter at nlnetlabs.nl>
> To: unbound-users at nlnetlabs.nl, maintainers at nlnetlabs.nl
> Subject: Unbound 1.10.0rc1 pre-release
> Message-ID: <a29809d5-38a1-f9f2-21bb-6d84c6412160 at nlnetlabs.nl>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> Unbound 1.10.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz
> sha256 cee1761b7801ae1f6e37f8a81f0646b93ad62bad565fe8459d46661073ca8440
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz.asc
>
> This is the maintainers' pre-release.
>
> The 1.10.0rc1 release has RPZ support and serve stale functionality
> according to draft draft-ietf-dnsop-serve-stale-10. And a number of
> other, smaller, features, and bug fixes.
>
> The DNS Response Policy Zones (RPZ) functionality makes it possible
> to express DNS response policies in a DNS zone. These zones can
> be loaded from file or transferred over DNS zone transfers or
> HTTP. The RPZ functionality in Unbound is implemented as specified in
> draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address
> triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA,
> PASSTHRU, DROP and Local Data.
>
> Enabling the respip module using `module-config` is required to use
> RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses
> are applied in order of configuration. Unbound can get the data from
> zone transfer, a zonefile or https url, and more options are documented
> in the man page. A minimal RPZ configuration that will transfer the
> RPZ zone using AXFR and IXFR can look like:
>
> server:
> module-config: "respip validator iterator"
>
> rpz:
> name: "rpz.example.com" # name of the policy zone
> master: 192.0.2.0 # address of the name server to transfer from
>
> The serve-stale functionality as described in
> draft-ietf-dnsop-serve-stale-10 is now supported in unbound.
> This allows unbound to first try and resolve a domain name before
> replying with expired data from cache. This differs from unbound's
> initial serve-expired behavior which attempts to reply with expired
> entries from cache without waiting for the actual resolution to finish.
> Both behaviors are available and can be configured with the various
> serve-expired-* configuration options. serve-expired-client-timeout is
> the option that enables one or the other.
>
> The DSA algorithms have been disabled by default, this is because of
> RFC 8624.
>
> There is a crash fix in the parse of text of type WKS, reported by
> X41 D-Sec.
>
> In addition, neg and key caches can be shared with multiple
> libunbound contexts, a change that assists unwind. The
> contrib/unbound_portable.service provides a systemd start file for a
> portable setup. The configure --with-libbsd option allows the use
> of the bsd compatibility library so that it can use the arc4random
> from it. The stats in contrib/unbound_munin_ have num.query.tls and
> num.query.tls.resume added to them. For unbound-control the command
> view_local_datas_remove is added that removes data from a view.
>
>
> Features:
> - Merge RPZ support into master. Only QNAME and Response IP triggers are
> supported.
> - Added serve-stale functionality as described in
> draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
> to configure the behavior.
> - Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
> - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
> come with a configurable TTL value (`serve-expired-reply-ttl`).
> - Merge #135 from Florian Obser: Use passed in neg and key cache
> if non-NULL.
> - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance.
> - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
> and Frzk. Updates the unbound.service systemd file and adds a portable
> systemd service file.
> - Merge PR#154; Allow use of libbsd functions with configure option
> --with-libbsd. By Robert Edmonds and Steven Chamberlain.
> - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
> - Merge PR#156 from Alexander Berkes; Added unbound-control
> view_local_datas_remove command.
>
> Bug Fixes:
> - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
> Florian Obser
> - Update mailing list URL.
> - Fix #140: Document slave not downloading new zonefile upon update.
> - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
> The dl_iterate_phdr() function introduced in newer versions raises
> compilation errors on solaris 10.
> - Changes to compat/getentropy_solaris.c for,
> ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion
> for older systems.
> - Fix 'make test' to work for --disable-sha1 configure option.
> - Fix out-of-bounds null-byte write in sldns_bget_token_par while
> parsing type WKS, reported by Luis Merino from X41 D-Sec.
> - Updated sldns_bget_token_par fix for also space for the zero
> delimiter after the character. And update for more spare space.
> - Fix #138: stop binding pidfile inside chroot dir in systemd service
> file.
> - Fix the relationship between serve-expired and prefetch options,
> patch from Saksham Manchanda from Secure64.
> - Fix unreachable code in ssl set options code.
> - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
> because dnscrypt-proxy (2.0.36) does not support the test setup
> any more, and also the config file format does not seem to have the
> appropriate keys to recreate that setup.
> - Fix crash after reload where a stats lookup could reference old key
> cache and neg cache structures.
> - Fix for memory leak when edns subnet config options are read when
> compiled without edns subnet support.
> - Fix auth zone support for NSEC3 records without salt.
> - Merge PR#150 from Frzk: Systemd unit without chroot. It add
> contrib/unbound_nochroot.service.in, a systemd file for use with
> chroot: "", see comments in the file, it uses systemd protections
> instead. It was superceded by #151, the unbound_portable.service
> file.
> - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
> to Libs/Requires for crypto library dependencies.
> - iana portlist updated.
> - Fix to silence the tls handshake errors for broken pipe and reset
> by peer, unless verbosity is set to 2 or higher.
> - Merge PR#147; change rfc reference for reserved top level dns names.
> - Fix #157: undefined reference to `htobe64'.
> - Fix subnet tests for disabled DSA algorithm by default.
> - Update contrib/fastrpz.patch for clean diff with current code.
> - updated .gitignore for added contrib file.
> - Add build rule for ipset to Makefile
> - Add getentropy_freebsd.o to Makefile dependencies.
> - Fix memory leak in error condition remote.c
> - Fix double free in error condition view.c
> - Fix memory leak in do_auth_zone_transfer on success
> - Stop working on socket when socket() call returns an error.
> - Check malloc return values in TLS session ticket code
> - Fix fclose on error in TLS session ticket code.
> - Add assertion to please static analyzer
> - Fixed stats when replying with cached, cname-aliased records.
> - Added missing default values for redis cachedb backend.
> - Fix num_reply_addr counting in mesh and tcp drop due to size
> after serve_stale commit.
> - Fix to create and destroy rpz_lock in auth_zones structure.
> - Fix to lock zone before adding rpz qname trigger.
> - Fix to lock and release once in mesh_serve_expired_lookup.
> - Fix to put braces around empty if body when threading is disabled.
> - Fix num_reply_states and num_detached_states counting with
> serve_expired_callback.
> - Cleaner code in mesh_serve_expired_lookup.
> - Document in unbound.conf manpage that configuration clauses can be
> repeated in the configuration file.
> - Document 'ub_result.was_ratelimited' in libunbound.
> - Fix use after free on log-identity after a reload; Fixes #163.
> - Fix with libnettle make test with dsa disabled.
> - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
> fixes, but it does not compile, conflicts with new rpz code.
> - Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
> - Fix compile warning when threads disabled.
>
> Best regards, Wouter
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 833 bytes
> Desc: OpenPGP digital signature
> URL: <
> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200213/1a546cae/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 2
> Date: Thu, 13 Feb 2020 14:43:18 +0100
> From: Elmar Stellnberger <estellnb at gmail.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: retrieve TLSA record also if it is not secured by DNSSEC
> Message-ID:
> <
> CAHgGK3SsQHOauqAN93QKf6Q0kxiyKWqKAdCi_Dd3ceHFhSBoHA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> For Firefox they do intentionally not fix the flaw that you can not
> configure server certificates which use HSTS:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them
> being paid by intelligence because otherwise they would not forcefully
> implement a bug like this (previous versions of FF were good). I do
> not know how the situation is with wget and curl but the fact that you
> can not set a server certificate by a command line switch at all
> points in the same direction. Why are there dozens of switches to
> configure certification authorities but not a single switch for a
> server certificate then? The way things are now all of these projects
> are not trustworthy all together.
>
> 2020-02-12 20:57 GMT+01:00, Paul Wouters <paul at nohats.ca>:
> > On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote:
> >
> >> hash-slinger's "tlsa" command? I have never heard of it. I just have the
> >> libunbound library here. I do not even have the unbound-host executable
> >> here
> >> which you mentioned in my previous mail.
> >
> > https://github.com/letoams/hash-slinger
> >
> >> The atea tool I am already offering for download is something like a
> >> light
> >>
> >> weight curl or wget for https/DANE without html support. It can be used
> >> to
> >>
> >> download files though.
> >
> > Oh I see. That is different then. The tlsa command is used to generate
> > or verify certificates with their DNSSEC TLSA record entries. It
> > supports both websites and mailservers.
> >
> > A tool that adds curl/wget support for TLSA is cool. although cooler
> > would be if curl/wget get native support of course :) Maybe Viktor
> > knows more about curl with openssl/tlsa support?
> >
> > Paul
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 13 Feb 2020 14:48:11 +0100
> From: Elmar Stellnberger <estellnb at gmail.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: retrieve TLSA record also if it is not secured by DNSSEC
> Message-ID:
> <
> CAHgGK3QyVJfbVmHiCgMzTmYULvk+tJf7Xze6aZMXF81J4TEwsQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> For Firefox they do intentionally not fix the flaw that you can not
> configure server certificates which use HSTS:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them
> being paid by intelligence because otherwise they would not forcefully
> implement a bug like this (previous versions of FF were good). I do
> not know how the situation is with wget and curl but the fact that you
> can not set a server certificate by a command line switch at all
> points in the same direction. Why are there dozens of switches to
> configure certification authorities but not a single switch for a
> server certificate then? The way things are now all of these projects
> are not trustworthy all together.
>
> 2020-02-12 20:57 GMT+01:00, Paul Wouters <paul at nohats.ca>:
> > On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote:
> >
> >> hash-slinger's "tlsa" command? I have never heard of it. I just have the
> >> libunbound library here. I do not even have the unbound-host executable
> >> here
> >> which you mentioned in my previous mail.
> >
> > https://github.com/letoams/hash-slinger
> >
> >> The atea tool I am already offering for download is something like a
> light
> >>
> >> weight curl or wget for https/DANE without html support. It can be used
> to
> >>
> >> download files though.
> >
> > Oh I see. That is different then. The tlsa command is used to generate
> > or verify certificates with their DNSSEC TLSA record entries. It
> > supports both websites and mailservers.
> >
> > A tool that adds curl/wget support for TLSA is cool. although cooler
> > would be if curl/wget get native support of course :) Maybe Viktor
> > knows more about curl with openssl/tlsa support?
> >
> > Paul
> >
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 13 Feb 2020 14:08:21 +0000
> From: Tony Finch <dot at dotat.at>
> To: Elmar Stellnberger <estellnb at gmail.com>
> Cc: Eric Luehrsen <ericluehrsen at gmail.com>,
> unbound-users at lists.nlnetlabs.nl
> Subject: Re: dns over tls with unbound on openwrt
> Message-ID: <alpine.DEB.2.20.2002131350180.25433 at grey.csi.cam.ac.uk>
> Content-Type: text/plain; charset=US-ASCII
>
> Elmar Stellnberger via Unbound-users <unbound-users at lists.nlnetlabs.nl>
> wrote:
>
> > What is the difference between recursive and forward DNS?
>
> I make a distinction which is a bit more pedantic than usual...
>
> Recursion is about the kinds of queries a server is willing to answer: if
> the server sets the RA bit (recursion available) in its responses and is
> therefore willing to answer RD (recursion desired) queries. The effect is
> that the server will obtain a complete answer and won't return referrals.
>
> This is independent of how the server gets the answers. It can perform
> iterative resolution (making queries with RD=0 and chasing referrals) or
> it can send recursive queries to another recursive server - which is
> called forwarding.
>
> According to this model, saying a server is recursive doesn't imply
> anything about whether it forwards queries or does its own iterative
> resolution. But usually when a server is described as recursive, that
> implies it does iterative resolution.
>
> The way I relate "recursion" in the DNS sense to its usual meaning, is
> when one resolver asks another resolver to answer a query on its behalf,
> it's a bit (wave hands vigorously) like a recursive call from one function
> to another function. (In the DNS case depth of recursion is determined by
> the forwarding topology, rather than reducing the complexity of the query
> as one would expect from functional recursion.)
>
> What makes the terminology extra confusing is that iterative resolution is
> about traversing a tree-shaped namespace (which has a recursive flavour)
> and iterative resolution gets explicitly recursive when the resolver has
> to resolve a nameserver address in order to follow a referral.
>
> So my rationalizaion is mostly in vain, because it isn't really possible
> to relate the DNS uses of recursion and iteration to their non-DNS
> meanings.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> German Bight, Humber: Cyclonic, becoming southwest later, 5 to 7,
> occasionally
> gale 8 at first. Moderate or rough. Rain then showers. Good, occasionally
> poor.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>
> ------------------------------
>
> End of Unbound-users Digest, Vol 2, Issue 18
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200213/82962d34/attachment-0001.htm>
More information about the Unbound-users
mailing list