Unbound 1.13.2rc1 pre-release
sca at andreasschulze.de
Mon Aug 9 18:34:24 UTC 2021
Am 05.08.21 um 11:11 schrieb Wouter Wijngaards via Unbound-users:
> Unbound 1.13.2rc1 pre-release is available
compiles (without warnings) and run on my usual lab environment
> The ZONEMD support allows verification of downloaded authority zone
> files with the zonemd hash. It can be enabled with the zonemd-check
> option. It implements RFC8976. With zonemd-permissive-mode it is
> possible to try out the functionality without withholding the zone if
> the checks fail. With zonemd-reject-absence the zonemd record becomes a
> requirement for a zone.
andreasschulze.de have a signed ZONEMD record. If the auth-zone is not yet
downloaded, there is an chicken egg problem: the DNSKEY to validate
the ZONEMD record is not yet downloaded. At least is this my idea of this warning:
Aug 09 20:16:01 unbound[9257:0] notice: init module 0: respip
Aug 09 20:16:01 unbound[9257:0] notice: init module 1: validator
Aug 09 20:16:01 unbound[9257:0] notice: init module 2: iterator
Aug 09 20:16:02 unbound[9257:0] warning: auth zone andreasschulze.de.: ZONEMD verification failed: lookup of DNSKEY failed
Aug 09 20:16:02 unbound[9257:0] info: generate keytag query _ta-4f66. NULL IN
Aug 09 20:16:02 unbound[9257:0] info: start of service (unbound 1.13.2rc1).
this is the config:
The warning is only visible if the local zonefile does not exist
> It is possible to use interface names for the control-interface as well,
> it was already possible for the interface, but now also for the remote
> control functionality. It allows the user to config the interface with
> the interface name, like 'eth0', instead of an IP address.
> The RR types SVCB and HTTPS are supported according to the draft
> specification. The syntax can be used in local zones and zone files,
> and debug output. The types themselves were already supported on the
> wire the RFC3597 unknown RR type support.
> The HTTP user agent header can be configured or elided, to
> avoid printing the version of type of the software running on the
> server, with the options http-user-agent and hide-http-user-agent.
More information about the Unbound-users