Unbound 1.10.0rc1 pre-release

A. Schulze sca at andreasschulze.de
Thu Feb 13 19:51:16 UTC 2020

Am 13.02.20 um 13:41 schrieb Wouter Wijngaards via Unbound-users:
> Unbound 1.10.0rc1 pre-release is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz

Hello Amsterdam!

1. no warnings while building from source. Thanks.
2. in doc/unbound.conf.5.in: s/refered/referred/ and s/assiged/assigned/
3. unbound-checkconf now fail on an auth-zone clause referring a zonefile not present (yet)

 chroot: "/chroot/unbound"
 name: "."
 for-downstream: no
 for-upstream: yes
 fallback-enabled: yes
 master: # xfr.cjr.dns.icann.org 
 master: # xfr.lax.dns.icann.org 
 master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org 
 master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org 
 zonefile: "auth-zones/root"

# unbound-checkconf
/chroot/unbound/etc/unbound/auth-zones/root: No such file or directory
[1581621877] unbound-checkconf[27564:0] fatal error: auth-zone zonefile: "auth-zones/root" does not exist in chrootdir /chroot/unbound

# ls -ld /chroot/unbound/etc/unbound/auth-zones/
drwxr-xr-x 1 unbound root 0 Feb 13 20:09 /chroot/unbound/etc/unbound/auth-zones/

Up to unbound-1.9.6 unbound-control was fine without the file.
Unbound-1.10.0rc1 itself work as expected: without /chroot/unbound/etc/unbound/auth-zones/root it starting a zone transfer and create the file.
A second "unbound-checkconf" now pass "unbound-checkconf: no errors in /etc/unbound/unbound.conf"
To me it looks like a glitch in unbound-checkconf.

4. (maybe not new in 1.10.0, but today I noticed it)

 tls-cert-bundle: "/path/to/cert-bundle.pem"

If "/path/to/cert-bundle.pem" does not exist, unbound fail to start:
[1581623048] unbound[29395:0] error: error in SSL_CTX verify crypto error:02001002:system library:fopen:No such file or directory
[1581623048] unbound[29395:0] error: and additionally crypto error:2006D080:BIO routines:BIO_new_file:no such file
[1581623048] unbound[29395:0] error: and additionally crypto error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
[1581623048] unbound[29395:0] fatal error: could not set up connect SSL_CTX

there is no hint about "tls-cert-bundle" or "/path/to/cert-bundle.pem" which makes debugging really hard.

Also, the file is only searched outside of a chroot and a relative path is also impossible. Maybe this should me mentioned in the manpage.

it's late here. rpz testing will happen tomorrow :-)


More information about the Unbound-users mailing list