Unbound 1.13.2rc1 pre-release

A. Schulze sca at andreasschulze.de
Mon Aug 9 18:34:24 UTC 2021 


Am 05.08.21 um 11:11 schrieb Wouter Wijngaards via Unbound-users:
> Unbound 1.13.2rc1 pre-release is available

compiles (without warnings) and run on my usual lab environment

> The ZONEMD support allows verification of downloaded authority zone
> files with the zonemd hash. It can be enabled with the zonemd-check
> option. It implements RFC8976. With zonemd-permissive-mode it is
> possible to try out the functionality without withholding the zone if
> the checks fail. With zonemd-reject-absence the zonemd record becomes a
> requirement for a zone.

andreasschulze.de have a signed ZONEMD record. If the auth-zone is not yet
downloaded, there is an chicken egg problem: the DNSKEY to validate
the ZONEMD record is not yet downloaded. At least is this my idea of this warning:

Aug 09 20:16:01 unbound[9257:0] notice: init module 0: respip
Aug 09 20:16:01 unbound[9257:0] notice: init module 1: validator
Aug 09 20:16:01 unbound[9257:0] notice: init module 2: iterator
Aug 09 20:16:02 unbound[9257:0] warning: auth zone andreasschulze.de.: ZONEMD verification failed: lookup of DNSKEY failed
Aug 09 20:16:02 unbound[9257:0] info: generate keytag query _ta-4f66. NULL IN
Aug 09 20:16:02 unbound[9257:0] info: start of service (unbound 1.13.2rc1).

this is the config:

auth-zone:
        name: "andreasschulze.de."
        for-downstream: no
        for-upstream: yes
        fallback-enabled: no
        primary: 2001:db8::53#ns.example.de
        zonefile: "auth-zones/andreasschulze.de"
        zonemd-check: yes
        zonemd-reject-absence: yes

The warning is only visible if the local zonefile does not exist

> It is possible to use interface names for the control-interface as well,
> it was already possible for the interface, but now also for the remote
> control functionality. It allows the user to config the interface with
> the interface name, like 'eth0', instead of an IP address.
works

> The RR types SVCB and HTTPS are supported according to the draft
> specification. The syntax can be used in local zones and zone files,
> and debug output. The types themselves were already supported on the
> wire the RFC3597 unknown RR type support.
works

> The HTTP user agent header can be configured or elided, to
> avoid printing the version of type of the software running on the
> server, with the options http-user-agent and hide-http-user-agent.
works both

Andreas

More information about the Unbound-users mailing list