Package: tech-ctte Severity: normal I am escalating bug #1124968 to the Technical Committee after disagreement with the unbound maintainer.
SUMMARY OF DISPUTE: The unbound package has a resolvconf hook enabled by default that silently forwards all DNS queries to upstream resolvers (ISP, hosting provider) instead of performing recursive resolution. The maintainer argues: This is necessary for captive portal scenarios, and therefore working out of the box in all contexts. I argue: - It currently does not work as a resolver out of the box (as soon as you have a DHCP server on the network, so lots of cases) - This defeats unbound's documented purpose as a recursive resolver - It creates a silent privacy leak (all DNS queries sent to third parties) - It's a security issue (cache poisoning exposure, DNSSEC bypass) - Users installing a "recursive resolver" expect recursive resolution - Captive portals are an edge case for unbound's typical userbase The maintainer marked the bug "wontfix" and suggested escalation. RELEVANT BUG: #1124968 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124968 PROPOSED RESOLUTION: - Default to disabled hook (recursive resolution) - Document how to enable forwarding for captive portal scenarios OTHER SOLUTION MAY BE: - Disable (default) / Enable upstream forwarding via config file - Offer to choose upstream servers (default DHCP) Thank you LRob
