Hi, I am getting the below error while trying to run unbound on my machine. I am using unbound-1.9.6. Can someone please help.
root@ubuntu:~# which unbound /usr/local/sbin/unbound root@ubuntu:~# unbound -c /usr/local/etc/unbound/unbound.conf *[1581621083] unbound[22619:0] fatal error: user 'unbound' does not exist.* root@ubuntu:~# unbound -c /usr/local/etc/unbound/unbound.conf rgds Simon On Thu, Feb 13, 2020 at 6:08 AM <unbound-users-requ...@lists.nlnetlabs.nl> wrote: > Send Unbound-users mailing list submissions to > unbound-users@lists.nlnetlabs.nl > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > or, via email, send a message with subject or body 'help' to > unbound-users-requ...@lists.nlnetlabs.nl > > You can reach the person managing the list at > unbound-users-ow...@lists.nlnetlabs.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Unbound-users digest..." > > > Today's Topics: > > 1. Unbound 1.10.0rc1 pre-release (Wouter Wijngaards) > 2. Re: retrieve TLSA record also if it is not secured by DNSSEC > (Elmar Stellnberger) > 3. Re: retrieve TLSA record also if it is not secured by DNSSEC > (Elmar Stellnberger) > 4. Re: dns over tls with unbound on openwrt (Tony Finch) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 13 Feb 2020 13:41:53 +0100 > From: Wouter Wijngaards <wou...@nlnetlabs.nl> > To: unbound-us...@nlnetlabs.nl, maintain...@nlnetlabs.nl > Subject: Unbound 1.10.0rc1 pre-release > Message-ID: <a29809d5-38a1-f9f2-21bb-6d84c6412...@nlnetlabs.nl> > Content-Type: text/plain; charset="utf-8" > > Hi, > > Unbound 1.10.0rc1 pre-release is available: > https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz > sha256 cee1761b7801ae1f6e37f8a81f0646b93ad62bad565fe8459d46661073ca8440 > pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz.asc > > This is the maintainers' pre-release. > > The 1.10.0rc1 release has RPZ support and serve stale functionality > according to draft draft-ietf-dnsop-serve-stale-10. And a number of > other, smaller, features, and bug fixes. > > The DNS Response Policy Zones (RPZ) functionality makes it possible > to express DNS response policies in a DNS zone. These zones can > be loaded from file or transferred over DNS zone transfers or > HTTP. The RPZ functionality in Unbound is implemented as specified in > draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address > triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, > PASSTHRU, DROP and Local Data. > > Enabling the respip module using `module-config` is required to use > RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses > are applied in order of configuration. Unbound can get the data from > zone transfer, a zonefile or https url, and more options are documented > in the man page. A minimal RPZ configuration that will transfer the > RPZ zone using AXFR and IXFR can look like: > > server: > module-config: "respip validator iterator" > > rpz: > name: "rpz.example.com" # name of the policy zone > master: 192.0.2.0 # address of the name server to transfer from > > The serve-stale functionality as described in > draft-ietf-dnsop-serve-stale-10 is now supported in unbound. > This allows unbound to first try and resolve a domain name before > replying with expired data from cache. This differs from unbound's > initial serve-expired behavior which attempts to reply with expired > entries from cache without waiting for the actual resolution to finish. > Both behaviors are available and can be configured with the various > serve-expired-* configuration options. serve-expired-client-timeout is > the option that enables one or the other. > > The DSA algorithms have been disabled by default, this is because of > RFC 8624. > > There is a crash fix in the parse of text of type WKS, reported by > X41 D-Sec. > > In addition, neg and key caches can be shared with multiple > libunbound contexts, a change that assists unwind. The > contrib/unbound_portable.service provides a systemd start file for a > portable setup. The configure --with-libbsd option allows the use > of the bsd compatibility library so that it can use the arc4random > from it. The stats in contrib/unbound_munin_ have num.query.tls and > num.query.tls.resume added to them. For unbound-control the command > view_local_datas_remove is added that removes data from a view. > > > Features: > - Merge RPZ support into master. Only QNAME and Response IP triggers are > supported. > - Added serve-stale functionality as described in > draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used > to configure the behavior. > - Updated cachedb to honor `serve-expired-ttl`; Fixes #107. > - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies > come with a configurable TTL value (`serve-expired-reply-ttl`). > - Merge #135 from Florian Obser: Use passed in neg and key cache > if non-NULL. > - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. > - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds > and Frzk. Updates the unbound.service systemd file and adds a portable > systemd service file. > - Merge PR#154; Allow use of libbsd functions with configure option > --with-libbsd. By Robert Edmonds and Steven Chamberlain. > - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. > - Merge PR#156 from Alexander Berkes; Added unbound-control > view_local_datas_remove command. > > Bug Fixes: > - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by > Florian Obser > - Update mailing list URL. > - Fix #140: Document slave not downloading new zonefile upon update. > - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD. > The dl_iterate_phdr() function introduced in newer versions raises > compilation errors on solaris 10. > - Changes to compat/getentropy_solaris.c for, > ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion > for older systems. > - Fix 'make test' to work for --disable-sha1 configure option. > - Fix out-of-bounds null-byte write in sldns_bget_token_par while > parsing type WKS, reported by Luis Merino from X41 D-Sec. > - Updated sldns_bget_token_par fix for also space for the zero > delimiter after the character. And update for more spare space. > - Fix #138: stop binding pidfile inside chroot dir in systemd service > file. > - Fix the relationship between serve-expired and prefetch options, > patch from Saksham Manchanda from Secure64. > - Fix unreachable code in ssl set options code. > - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, > because dnscrypt-proxy (2.0.36) does not support the test setup > any more, and also the config file format does not seem to have the > appropriate keys to recreate that setup. > - Fix crash after reload where a stats lookup could reference old key > cache and neg cache structures. > - Fix for memory leak when edns subnet config options are read when > compiled without edns subnet support. > - Fix auth zone support for NSEC3 records without salt. > - Merge PR#150 from Frzk: Systemd unit without chroot. It add > contrib/unbound_nochroot.service.in, a systemd file for use with > chroot: "", see comments in the file, it uses systemd protections > instead. It was superceded by #151, the unbound_portable.service > file. > - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes > to Libs/Requires for crypto library dependencies. > - iana portlist updated. > - Fix to silence the tls handshake errors for broken pipe and reset > by peer, unless verbosity is set to 2 or higher. > - Merge PR#147; change rfc reference for reserved top level dns names. > - Fix #157: undefined reference to `htobe64'. > - Fix subnet tests for disabled DSA algorithm by default. > - Update contrib/fastrpz.patch for clean diff with current code. > - updated .gitignore for added contrib file. > - Add build rule for ipset to Makefile > - Add getentropy_freebsd.o to Makefile dependencies. > - Fix memory leak in error condition remote.c > - Fix double free in error condition view.c > - Fix memory leak in do_auth_zone_transfer on success > - Stop working on socket when socket() call returns an error. > - Check malloc return values in TLS session ticket code > - Fix fclose on error in TLS session ticket code. > - Add assertion to please static analyzer > - Fixed stats when replying with cached, cname-aliased records. > - Added missing default values for redis cachedb backend. > - Fix num_reply_addr counting in mesh and tcp drop due to size > after serve_stale commit. > - Fix to create and destroy rpz_lock in auth_zones structure. > - Fix to lock zone before adding rpz qname trigger. > - Fix to lock and release once in mesh_serve_expired_lookup. > - Fix to put braces around empty if body when threading is disabled. > - Fix num_reply_states and num_detached_states counting with > serve_expired_callback. > - Cleaner code in mesh_serve_expired_lookup. > - Document in unbound.conf manpage that configuration clauses can be > repeated in the configuration file. > - Document 'ub_result.was_ratelimited' in libunbound. > - Fix use after free on log-identity after a reload; Fixes #163. > - Fix with libnettle make test with dsa disabled. > - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale > fixes, but it does not compile, conflicts with new rpz code. > - Fix to clean memory leak of respip_addr.lock when ip_tree deleted. > - Fix compile warning when threads disabled. > > Best regards, Wouter > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 833 bytes > Desc: OpenPGP digital signature > URL: < > http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200213/1a546cae/attachment-0001.bin > > > > ------------------------------ > > Message: 2 > Date: Thu, 13 Feb 2020 14:43:18 +0100 > From: Elmar Stellnberger <estel...@gmail.com> > To: unbound-users@lists.nlnetlabs.nl > Subject: Re: retrieve TLSA record also if it is not secured by DNSSEC > Message-ID: > < > cahggk3ssqhoauqan93qkf6q0kxiykwqkadci_dd3cehfhsb...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > For Firefox they do intentionally not fix the flaw that you can not > configure server certificates which use HSTS: > https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them > being paid by intelligence because otherwise they would not forcefully > implement a bug like this (previous versions of FF were good). I do > not know how the situation is with wget and curl but the fact that you > can not set a server certificate by a command line switch at all > points in the same direction. Why are there dozens of switches to > configure certification authorities but not a single switch for a > server certificate then? The way things are now all of these projects > are not trustworthy all together. > > 2020-02-12 20:57 GMT+01:00, Paul Wouters <p...@nohats.ca>: > > On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote: > > > >> hash-slinger's "tlsa" command? I have never heard of it. I just have the > >> libunbound library here. I do not even have the unbound-host executable > >> here > >> which you mentioned in my previous mail. > > > > https://github.com/letoams/hash-slinger > > > >> The atea tool I am already offering for download is something like a > >> light > >> > >> weight curl or wget for https/DANE without html support. It can be used > >> to > >> > >> download files though. > > > > Oh I see. That is different then. The tlsa command is used to generate > > or verify certificates with their DNSSEC TLSA record entries. It > > supports both websites and mailservers. > > > > A tool that adds curl/wget support for TLSA is cool. although cooler > > would be if curl/wget get native support of course :) Maybe Viktor > > knows more about curl with openssl/tlsa support? > > > > Paul > > > > > ------------------------------ > > Message: 3 > Date: Thu, 13 Feb 2020 14:48:11 +0100 > From: Elmar Stellnberger <estel...@gmail.com> > To: unbound-users@lists.nlnetlabs.nl > Subject: Re: retrieve TLSA record also if it is not secured by DNSSEC > Message-ID: > < > cahggk3qyvjfbvmhicgmztmyulvk+tjf7xze6azmxf81j4te...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > For Firefox they do intentionally not fix the flaw that you can not > configure server certificates which use HSTS: > https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them > being paid by intelligence because otherwise they would not forcefully > implement a bug like this (previous versions of FF were good). I do > not know how the situation is with wget and curl but the fact that you > can not set a server certificate by a command line switch at all > points in the same direction. Why are there dozens of switches to > configure certification authorities but not a single switch for a > server certificate then? The way things are now all of these projects > are not trustworthy all together. > > 2020-02-12 20:57 GMT+01:00, Paul Wouters <p...@nohats.ca>: > > On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote: > > > >> hash-slinger's "tlsa" command? I have never heard of it. I just have the > >> libunbound library here. I do not even have the unbound-host executable > >> here > >> which you mentioned in my previous mail. > > > > https://github.com/letoams/hash-slinger > > > >> The atea tool I am already offering for download is something like a > light > >> > >> weight curl or wget for https/DANE without html support. It can be used > to > >> > >> download files though. > > > > Oh I see. That is different then. The tlsa command is used to generate > > or verify certificates with their DNSSEC TLSA record entries. It > > supports both websites and mailservers. > > > > A tool that adds curl/wget support for TLSA is cool. although cooler > > would be if curl/wget get native support of course :) Maybe Viktor > > knows more about curl with openssl/tlsa support? > > > > Paul > > > > > ------------------------------ > > Message: 4 > Date: Thu, 13 Feb 2020 14:08:21 +0000 > From: Tony Finch <d...@dotat.at> > To: Elmar Stellnberger <estel...@gmail.com> > Cc: Eric Luehrsen <ericluehr...@gmail.com>, > unbound-users@lists.nlnetlabs.nl > Subject: Re: dns over tls with unbound on openwrt > Message-ID: <alpine.deb.2.20.2002131350180.25...@grey.csi.cam.ac.uk> > Content-Type: text/plain; charset=US-ASCII > > Elmar Stellnberger via Unbound-users <unbound-users@lists.nlnetlabs.nl> > wrote: > > > What is the difference between recursive and forward DNS? > > I make a distinction which is a bit more pedantic than usual... > > Recursion is about the kinds of queries a server is willing to answer: if > the server sets the RA bit (recursion available) in its responses and is > therefore willing to answer RD (recursion desired) queries. The effect is > that the server will obtain a complete answer and won't return referrals. > > This is independent of how the server gets the answers. It can perform > iterative resolution (making queries with RD=0 and chasing referrals) or > it can send recursive queries to another recursive server - which is > called forwarding. > > According to this model, saying a server is recursive doesn't imply > anything about whether it forwards queries or does its own iterative > resolution. But usually when a server is described as recursive, that > implies it does iterative resolution. > > The way I relate "recursion" in the DNS sense to its usual meaning, is > when one resolver asks another resolver to answer a query on its behalf, > it's a bit (wave hands vigorously) like a recursive call from one function > to another function. (In the DNS case depth of recursion is determined by > the forwarding topology, rather than reducing the complexity of the query > as one would expect from functional recursion.) > > What makes the terminology extra confusing is that iterative resolution is > about traversing a tree-shaped namespace (which has a recursive flavour) > and iterative resolution gets explicitly recursive when the resolver has > to resolve a nameserver address in order to follow a referral. > > So my rationalizaion is mostly in vain, because it isn't really possible > to relate the DNS uses of recursion and iteration to their non-DNS > meanings. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > German Bight, Humber: Cyclonic, becoming southwest later, 5 to 7, > occasionally > gale 8 at first. Moderate or rough. Rain then showers. Good, occasionally > poor. > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Unbound-users mailing list > Unbound-users@lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > > > ------------------------------ > > End of Unbound-users Digest, Vol 2, Issue 18 > ******************************************** >