Hi benno, I installed unbound by downloading the source code and make install. Below are the details you asked. I did not installed unbound from package distribution.
t@ubuntu:~# which unbound /usr/local/sbin/unbound root@ubuntu:~# ls -ll /usr/local/sbin/unbound -rwxr-xr-x 1 root root 3868744 Feb 7 15:54 /usr/local/sbin/unbound root@ubuntu:~# uname -a Linux ubuntu 4.15.0-76-generic #86~16.04.1-Ubuntu SMP Mon Jan 20 10:58:26 UTC 2020 i686 i686 i686 GNU/Linux Rgds Simon On Thu, Feb 13, 2020 at 1:38 PM Benno Overeinder <[email protected]> wrote: > Dear Simon Baby, > > The message tells that user ‘Unbound’ does not exist on your system. Which > OS are you using and did you install the package from a distribution? > > — Benno > > — > Benno J. Overeinder > NLnet Labs > https://www.nlnetlabs.nl/ > > Op 13 feb. 2020 om 20:17 heeft SIMON BABY via Unbound-users < > [email protected]> het volgende geschreven: > > > Hi, > > I am getting the below error while trying to run unbound on my machine. I > am using unbound-1.9.6. Can someone please help. > > root@ubuntu:~# which unbound > /usr/local/sbin/unbound > root@ubuntu:~# unbound -c /usr/local/etc/unbound/unbound.conf > *[1581621083] unbound[22619:0] fatal error: user 'unbound' does not exist.* > root@ubuntu:~# unbound -c /usr/local/etc/unbound/unbound.conf > > rgds > Simon > > On Thu, Feb 13, 2020 at 6:08 AM <[email protected]> > wrote: > >> Send Unbound-users mailing list submissions to >> [email protected] >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users >> or, via email, send a message with subject or body 'help' to >> [email protected] >> >> You can reach the person managing the list at >> [email protected] >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Unbound-users digest..." >> >> >> Today's Topics: >> >> 1. Unbound 1.10.0rc1 pre-release (Wouter Wijngaards) >> 2. Re: retrieve TLSA record also if it is not secured by DNSSEC >> (Elmar Stellnberger) >> 3. Re: retrieve TLSA record also if it is not secured by DNSSEC >> (Elmar Stellnberger) >> 4. Re: dns over tls with unbound on openwrt (Tony Finch) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Thu, 13 Feb 2020 13:41:53 +0100 >> From: Wouter Wijngaards <[email protected]> >> To: [email protected], [email protected] >> Subject: Unbound 1.10.0rc1 pre-release >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset="utf-8" >> >> Hi, >> >> Unbound 1.10.0rc1 pre-release is available: >> https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz >> sha256 cee1761b7801ae1f6e37f8a81f0646b93ad62bad565fe8459d46661073ca8440 >> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0rc1.tar.gz.asc >> >> This is the maintainers' pre-release. >> >> The 1.10.0rc1 release has RPZ support and serve stale functionality >> according to draft draft-ietf-dnsop-serve-stale-10. And a number of >> other, smaller, features, and bug fixes. >> >> The DNS Response Policy Zones (RPZ) functionality makes it possible >> to express DNS response policies in a DNS zone. These zones can >> be loaded from file or transferred over DNS zone transfers or >> HTTP. The RPZ functionality in Unbound is implemented as specified in >> draft-vixie-dnsop-dns-rpz-00. Only the QNAME and Response IP Address >> triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, >> PASSTHRU, DROP and Local Data. >> >> Enabling the respip module using `module-config` is required to use >> RPZ. Each RPZ zone can be configured using the `rpz` clause. RPZ clauses >> are applied in order of configuration. Unbound can get the data from >> zone transfer, a zonefile or https url, and more options are documented >> in the man page. A minimal RPZ configuration that will transfer the >> RPZ zone using AXFR and IXFR can look like: >> >> server: >> module-config: "respip validator iterator" >> >> rpz: >> name: "rpz.example.com" # name of the policy zone >> master: 192.0.2.0 # address of the name server to transfer from >> >> The serve-stale functionality as described in >> draft-ietf-dnsop-serve-stale-10 is now supported in unbound. >> This allows unbound to first try and resolve a domain name before >> replying with expired data from cache. This differs from unbound's >> initial serve-expired behavior which attempts to reply with expired >> entries from cache without waiting for the actual resolution to finish. >> Both behaviors are available and can be configured with the various >> serve-expired-* configuration options. serve-expired-client-timeout is >> the option that enables one or the other. >> >> The DSA algorithms have been disabled by default, this is because of >> RFC 8624. >> >> There is a crash fix in the parse of text of type WKS, reported by >> X41 D-Sec. >> >> In addition, neg and key caches can be shared with multiple >> libunbound contexts, a change that assists unwind. The >> contrib/unbound_portable.service provides a systemd start file for a >> portable setup. The configure --with-libbsd option allows the use >> of the bsd compatibility library so that it can use the arc4random >> from it. The stats in contrib/unbound_munin_ have num.query.tls and >> num.query.tls.resume added to them. For unbound-control the command >> view_local_datas_remove is added that removes data from a view. >> >> >> Features: >> - Merge RPZ support into master. Only QNAME and Response IP triggers are >> supported. >> - Added serve-stale functionality as described in >> draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used >> to configure the behavior. >> - Updated cachedb to honor `serve-expired-ttl`; Fixes #107. >> - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies >> come with a configurable TTL value (`serve-expired-reply-ttl`). >> - Merge #135 from Florian Obser: Use passed in neg and key cache >> if non-NULL. >> - Fix #153: Disable validation for DSA algorithms. RFC 8624 compliance. >> - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds >> and Frzk. Updates the unbound.service systemd file and adds a portable >> systemd service file. >> - Merge PR#154; Allow use of libbsd functions with configure option >> --with-libbsd. By Robert Edmonds and Steven Chamberlain. >> - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. >> - Merge PR#156 from Alexander Berkes; Added unbound-control >> view_local_datas_remove command. >> >> Bug Fixes: >> - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by >> Florian Obser >> - Update mailing list URL. >> - Fix #140: Document slave not downloading new zonefile upon update. >> - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD. >> The dl_iterate_phdr() function introduced in newer versions raises >> compilation errors on solaris 10. >> - Changes to compat/getentropy_solaris.c for, >> ifdef stdint.h inclusion for older systems. ifdef sha2.h inclusion >> for older systems. >> - Fix 'make test' to work for --disable-sha1 configure option. >> - Fix out-of-bounds null-byte write in sldns_bget_token_par while >> parsing type WKS, reported by Luis Merino from X41 D-Sec. >> - Updated sldns_bget_token_par fix for also space for the zero >> delimiter after the character. And update for more spare space. >> - Fix #138: stop binding pidfile inside chroot dir in systemd service >> file. >> - Fix the relationship between serve-expired and prefetch options, >> patch from Saksham Manchanda from Secure64. >> - Fix unreachable code in ssl set options code. >> - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, >> because dnscrypt-proxy (2.0.36) does not support the test setup >> any more, and also the config file format does not seem to have the >> appropriate keys to recreate that setup. >> - Fix crash after reload where a stats lookup could reference old key >> cache and neg cache structures. >> - Fix for memory leak when edns subnet config options are read when >> compiled without edns subnet support. >> - Fix auth zone support for NSEC3 records without salt. >> - Merge PR#150 from Frzk: Systemd unit without chroot. It add >> contrib/unbound_nochroot.service.in, a systemd file for use with >> chroot: "", see comments in the file, it uses systemd protections >> instead. It was superceded by #151, the unbound_portable.service >> file. >> - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes >> to Libs/Requires for crypto library dependencies. >> - iana portlist updated. >> - Fix to silence the tls handshake errors for broken pipe and reset >> by peer, unless verbosity is set to 2 or higher. >> - Merge PR#147; change rfc reference for reserved top level dns names. >> - Fix #157: undefined reference to `htobe64'. >> - Fix subnet tests for disabled DSA algorithm by default. >> - Update contrib/fastrpz.patch for clean diff with current code. >> - updated .gitignore for added contrib file. >> - Add build rule for ipset to Makefile >> - Add getentropy_freebsd.o to Makefile dependencies. >> - Fix memory leak in error condition remote.c >> - Fix double free in error condition view.c >> - Fix memory leak in do_auth_zone_transfer on success >> - Stop working on socket when socket() call returns an error. >> - Check malloc return values in TLS session ticket code >> - Fix fclose on error in TLS session ticket code. >> - Add assertion to please static analyzer >> - Fixed stats when replying with cached, cname-aliased records. >> - Added missing default values for redis cachedb backend. >> - Fix num_reply_addr counting in mesh and tcp drop due to size >> after serve_stale commit. >> - Fix to create and destroy rpz_lock in auth_zones structure. >> - Fix to lock zone before adding rpz qname trigger. >> - Fix to lock and release once in mesh_serve_expired_lookup. >> - Fix to put braces around empty if body when threading is disabled. >> - Fix num_reply_states and num_detached_states counting with >> serve_expired_callback. >> - Cleaner code in mesh_serve_expired_lookup. >> - Document in unbound.conf manpage that configuration clauses can be >> repeated in the configuration file. >> - Document 'ub_result.was_ratelimited' in libunbound. >> - Fix use after free on log-identity after a reload; Fixes #163. >> - Fix with libnettle make test with dsa disabled. >> - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale >> fixes, but it does not compile, conflicts with new rpz code. >> - Fix to clean memory leak of respip_addr.lock when ip_tree deleted. >> - Fix compile warning when threads disabled. >> >> Best regards, Wouter >> >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: signature.asc >> Type: application/pgp-signature >> Size: 833 bytes >> Desc: OpenPGP digital signature >> URL: < >> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200213/1a546cae/attachment-0001.bin >> > >> >> ------------------------------ >> >> Message: 2 >> Date: Thu, 13 Feb 2020 14:43:18 +0100 >> From: Elmar Stellnberger <[email protected]> >> To: [email protected] >> Subject: Re: retrieve TLSA record also if it is not secured by DNSSEC >> Message-ID: >> < >> cahggk3ssqhoauqan93qkf6q0kxiykwqkadci_dd3cehfhsb...@mail.gmail.com> >> Content-Type: text/plain; charset="UTF-8" >> >> For Firefox they do intentionally not fix the flaw that you can not >> configure server certificates which use HSTS: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them >> being paid by intelligence because otherwise they would not forcefully >> implement a bug like this (previous versions of FF were good). I do >> not know how the situation is with wget and curl but the fact that you >> can not set a server certificate by a command line switch at all >> points in the same direction. Why are there dozens of switches to >> configure certification authorities but not a single switch for a >> server certificate then? The way things are now all of these projects >> are not trustworthy all together. >> >> 2020-02-12 20:57 GMT+01:00, Paul Wouters <[email protected]>: >> > On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote: >> > >> >> hash-slinger's "tlsa" command? I have never heard of it. I just have >> the >> >> libunbound library here. I do not even have the unbound-host executable >> >> here >> >> which you mentioned in my previous mail. >> > >> > https://github.com/letoams/hash-slinger >> > >> >> The atea tool I am already offering for download is something like a >> >> light >> >> >> >> weight curl or wget for https/DANE without html support. It can be used >> >> to >> >> >> >> download files though. >> > >> > Oh I see. That is different then. The tlsa command is used to generate >> > or verify certificates with their DNSSEC TLSA record entries. It >> > supports both websites and mailservers. >> > >> > A tool that adds curl/wget support for TLSA is cool. although cooler >> > would be if curl/wget get native support of course :) Maybe Viktor >> > knows more about curl with openssl/tlsa support? >> > >> > Paul >> > >> >> >> ------------------------------ >> >> Message: 3 >> Date: Thu, 13 Feb 2020 14:48:11 +0100 >> From: Elmar Stellnberger <[email protected]> >> To: [email protected] >> Subject: Re: retrieve TLSA record also if it is not secured by DNSSEC >> Message-ID: >> < >> cahggk3qyvjfbvmhicgmztmyulvk+tjf7xze6azmxf81j4te...@mail.gmail.com> >> Content-Type: text/plain; charset="UTF-8" >> >> For Firefox they do intentionally not fix the flaw that you can not >> configure server certificates which use HSTS: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them >> being paid by intelligence because otherwise they would not forcefully >> implement a bug like this (previous versions of FF were good). I do >> not know how the situation is with wget and curl but the fact that you >> can not set a server certificate by a command line switch at all >> points in the same direction. Why are there dozens of switches to >> configure certification authorities but not a single switch for a >> server certificate then? The way things are now all of these projects >> are not trustworthy all together. >> >> 2020-02-12 20:57 GMT+01:00, Paul Wouters <[email protected]>: >> > On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote: >> > >> >> hash-slinger's "tlsa" command? I have never heard of it. I just have >> the >> >> libunbound library here. I do not even have the unbound-host executable >> >> here >> >> which you mentioned in my previous mail. >> > >> > https://github.com/letoams/hash-slinger >> > >> >> The atea tool I am already offering for download is something like a >> light >> >> >> >> weight curl or wget for https/DANE without html support. It can be >> used to >> >> >> >> download files though. >> > >> > Oh I see. That is different then. The tlsa command is used to generate >> > or verify certificates with their DNSSEC TLSA record entries. It >> > supports both websites and mailservers. >> > >> > A tool that adds curl/wget support for TLSA is cool. although cooler >> > would be if curl/wget get native support of course :) Maybe Viktor >> > knows more about curl with openssl/tlsa support? >> > >> > Paul >> > >> >> >> ------------------------------ >> >> Message: 4 >> Date: Thu, 13 Feb 2020 14:08:21 +0000 >> From: Tony Finch <[email protected]> >> To: Elmar Stellnberger <[email protected]> >> Cc: Eric Luehrsen <[email protected]>, >> [email protected] >> Subject: Re: dns over tls with unbound on openwrt >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=US-ASCII >> >> Elmar Stellnberger via Unbound-users <[email protected]> >> wrote: >> >> > What is the difference between recursive and forward DNS? >> >> I make a distinction which is a bit more pedantic than usual... >> >> Recursion is about the kinds of queries a server is willing to answer: if >> the server sets the RA bit (recursion available) in its responses and is >> therefore willing to answer RD (recursion desired) queries. The effect is >> that the server will obtain a complete answer and won't return referrals. >> >> This is independent of how the server gets the answers. It can perform >> iterative resolution (making queries with RD=0 and chasing referrals) or >> it can send recursive queries to another recursive server - which is >> called forwarding. >> >> According to this model, saying a server is recursive doesn't imply >> anything about whether it forwards queries or does its own iterative >> resolution. But usually when a server is described as recursive, that >> implies it does iterative resolution. >> >> The way I relate "recursion" in the DNS sense to its usual meaning, is >> when one resolver asks another resolver to answer a query on its behalf, >> it's a bit (wave hands vigorously) like a recursive call from one function >> to another function. (In the DNS case depth of recursion is determined by >> the forwarding topology, rather than reducing the complexity of the query >> as one would expect from functional recursion.) >> >> What makes the terminology extra confusing is that iterative resolution is >> about traversing a tree-shaped namespace (which has a recursive flavour) >> and iterative resolution gets explicitly recursive when the resolver has >> to resolve a nameserver address in order to follow a referral. >> >> So my rationalizaion is mostly in vain, because it isn't really possible >> to relate the DNS uses of recursion and iteration to their non-DNS >> meanings. >> >> Tony. >> -- >> f.anthony.n.finch <[email protected]> http://dotat.at/ >> German Bight, Humber: Cyclonic, becoming southwest later, 5 to 7, >> occasionally >> gale 8 at first. Moderate or rough. Rain then showers. Good, occasionally >> poor. >> >> >> ------------------------------ >> >> Subject: Digest Footer >> >> _______________________________________________ >> Unbound-users mailing list >> [email protected] >> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users >> >> >> ------------------------------ >> >> End of Unbound-users Digest, Vol 2, Issue 18 >> ******************************************** >> >
