Control: owner -1 ! Hello,
On Tue, Jan 13, 2026 at 08:22:56PM +0100, LRob wrote: > I am escalating bug #1124968 to the Technical Committee after > disagreement with the unbound maintainer. > > SUMMARY OF DISPUTE: > > The unbound package has a resolvconf hook enabled by default that > silently forwards all DNS queries to upstream resolvers (ISP, hosting > provider) instead of performing recursive resolution. > > The maintainer argues: > This is necessary for captive portal scenarios, > and therefore working out of the box in all contexts. > > I argue: > - It currently does not work as a resolver out of the box > (as soon as you have a DHCP server on the network, so lots of cases) > - This defeats unbound's documented purpose as a recursive resolver > - It creates a silent privacy leak (all DNS queries sent to third parties) > - It's a security issue (cache poisoning exposure, DNSSEC bypass) > - Users installing a "recursive resolver" expect recursive resolution > - Captive portals are an edge case for unbound's typical userbase > > The maintainer marked the bug "wontfix" and suggested escalation. > > RELEVANT BUG: #1124968 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124968 > > PROPOSED RESOLUTION: > - Default to disabled hook (recursive resolution) > - Document how to enable forwarding for captive portal scenarios > > OTHER SOLUTION MAY BE: > - Disable (default) / Enable upstream forwarding via config file > - Offer to choose upstream servers (default DHCP) Your disagreement is received. I have marked myself as owner of this bug which makes me assume the moderator role for this matter on behalf of the ctte. As far as I can see, configuring unbound as a recursive resolver is a matter of changing the execute permission of a conffile. The functionality you would like to see does exist and the disagreement only exists about the default behavior of the unbound package. Do you agree with this characterization? In order to use the resolvconf hook, the resolvconf package must be installed. resolvconf is not a dependency of unbound. Therefore removing the resolvconf package is another way to opt out of the forwarding behavior. When using unbound as a local resolver, /etc/resolv.conf can be configured statically and installing the resolvconf package bears little benefit unless one wishes to communicate the DNS servers received via DHCP to the local resolver. Do you also concur here? What made you install the resolvconf package? Generally, deciding about the defaults of how packages behave - even if it deviates from upstream choices - is something that falls within the competence of package maintainers. Deviating from upstream defaults is not uncommon. Generally, when packaging software in a large distribution, consistency between software packages is useful. Therefore looking at how other resolvers behave by default is relevant here. The resolvconf package specifically exists as a glue between network configuration and resolvers to implement forwarding behavior. For instance, dnsmasq also provides such a hook by default. systemd-resolved does not provide such a hook, but when used with systemd-networkd, it also defaults to forwarding behavior. Counter-examples are bind9 and knot, which do not pick up servers to forward to via resolvconf. We can conclude that both ways are prevalent in Debian. Would you want to further investigate the consistency aspect to provide a stronger reason in your favour? Helmut for the technical committee
