Unbound 1.10.0rc1 pre-release

Wouter Wijngaards wouter at nlnetlabs.nl
Fri Feb 14 06:59:05 UTC 2020


Hi Andreas,

On 13/02/2020 20:51, A. Schulze via Unbound-users wrote:
> 
> 
> Am 13.02.20 um 13:41 schrieb Wouter Wijngaards via Unbound-users:
>> Unbound 1.10.0rc1 pre-release is available:
>> https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz
> 
> 
> Hello Amsterdam!
> 
> 1. no warnings while building from source. Thanks.
> 2. in doc/unbound.conf.5.in: s/refered/referred/ and s/assiged/assigned/

Fixed, thanks!

> 3. unbound-checkconf now fail on an auth-zone clause referring a zonefile not present (yet)

Fixed that too by removing the check.  It was checking if the files are
properly in the chroot (also for rpz zone files).  But they can not
exist, so that does not work.

Best regards, Wouter

> 
> ----
> server:
>  chroot: "/chroot/unbound"
> auth-zone:
>  name: "."
>  for-downstream: no
>  for-upstream: yes
>  fallback-enabled: yes
>  master: 192.0.47.132 # xfr.cjr.dns.icann.org 
>  master: 192.0.32.132 # xfr.lax.dns.icann.org 
>  master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org 
>  master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org 
>  zonefile: "auth-zones/root"
> ----
> 
> # unbound-checkconf
> /chroot/unbound/etc/unbound/auth-zones/root: No such file or directory
> [1581621877] unbound-checkconf[27564:0] fatal error: auth-zone zonefile: "auth-zones/root" does not exist in chrootdir /chroot/unbound
> 
> # ls -ld /chroot/unbound/etc/unbound/auth-zones/
> drwxr-xr-x 1 unbound root 0 Feb 13 20:09 /chroot/unbound/etc/unbound/auth-zones/
> 
> Up to unbound-1.9.6 unbound-control was fine without the file.
> Unbound-1.10.0rc1 itself work as expected: without /chroot/unbound/etc/unbound/auth-zones/root it starting a zone transfer and create the file.
> A second "unbound-checkconf" now pass "unbound-checkconf: no errors in /etc/unbound/unbound.conf"
> To me it looks like a glitch in unbound-checkconf.
> 
> 4. (maybe not new in 1.10.0, but today I noticed it)
> 
> ----
> server:
>  tls-cert-bundle: "/path/to/cert-bundle.pem"
> ----
> 
> If "/path/to/cert-bundle.pem" does not exist, unbound fail to start:
> [1581623048] unbound[29395:0] error: error in SSL_CTX verify crypto error:02001002:system library:fopen:No such file or directory
> [1581623048] unbound[29395:0] error: and additionally crypto error:2006D080:BIO routines:BIO_new_file:no such file
> [1581623048] unbound[29395:0] error: and additionally crypto error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
> [1581623048] unbound[29395:0] fatal error: could not set up connect SSL_CTX
> 
> there is no hint about "tls-cert-bundle" or "/path/to/cert-bundle.pem" which makes debugging really hard.
> 
> Also, the file is only searched outside of a chroot and a relative path is also impossible. Maybe this should me mentioned in the manpage.
> 
> it's late here. rpz testing will happen tomorrow :-)
> 
> Andreas
> 


More information about the Unbound-users mailing list