Hello LRob, On Tue, Jan 13, 2026 at 10:56:38PM +0100, LRob wrote: > > What made you install the resolvconf package? > > I did not consciously install it. > In this case it was likely pulled as a dependency or pre-installed > in the server provider's OS install image. I suspect this is the case > for many users who are unaware of its interaction with unbound.
At this time, I would argue that users who are not aware of resolvconf likely are also not aware of the distinction between recursive resolution and forwarding. They just want DNS to work. The way to make it just work in most situations is forwarding as has been explained in detail by Michael. Arguably, the default behavior actually is recursive resolution as you desire. I verified this by booting a forky VM. Then I installed unbound and verified that it was not forwarding anywhere. resolvconf was not installed. Given resolvconf's package description, I would not be surprised if it changed unbound's forwarding behavior upon package installation. That looks exactly like the task the package is solving. Conversely, if changing the default, I would expect bug reports arguing that the integration of unbound with resolvconf would be broken by default. It is perfectly reasonable to use unbound as a forwarding DNSSEC validator. How do you imagine users to change unbound to forwarding if they so desire? > Yes, removing resolvconf is another workaround I didn't think of. > However, users who installed unbound for recursive resolution > are unlikely to know that an unrelated package silently changes > unbound's behavior. Classifying resolvconf as unrelated is a stretch. > Michael's latest analysis covers this well and I fully agree with it. > > - bind9: no forwarding by default > - knot: no forwarding by default > - dnsmasq: forwards by default (but dnsmasq is primarily a forwarder) > - systemd-resolved: forwards (but it's not marketed as recursive) Indeed, this changes the argument towards your view. However, I expect that the user base that both cares and knows the distinction of forwarding and recursive and at the same time doesn't know about the purpose of the resolvconf package is relatively small, but I do not actually have any data on this. A minor data point is that this behavior has existed for probably a decade without anyone complaining. > What are the next steps to implement this change? I am not yet seeing consensus on this matter. Helmut
