Control: tag -1 + wontfix
On 1/8/26 01:01, LRob wrote:
Package: unbound
Version: 1.22.0-2+deb13u1
Severity: important
Tags: security
The /etc/resolvconf/update.d/unbound hook is now executable by default
on new
installs. This causes unbound to silently forward all queries to upstream
nameservers (provided by DHCP/resolvconf) instead of performing recursive
resolution starting from root servers.
If we ignore DHCP-provided nameservers and always perform recursive name
resolution, we'll have non-working internet connectivity in common wifi
areas where captive portals are in effect.
If you have stable internet connectivity where you're sure recursive
resolution works, you're free to drop execute permissions from this
hook, and recursive-only name resolution will work fine for you.
For a general case, we need a working internet first, making debian
to be unable to connect to the internet by default is wrong, in my
opinion.
If you disagree and insist on disabling this hook by default, I think
a wider discussion is in order.
Thanks,
/mjt
