Hi RayG, >From the unit test, a sample output if rpz-log is enabled: info: RPZ applied [rpz.example.com] a. nxdomain 127.0.0.1@53 a. TXT IN
It is applied to the query 'a' here, of type txt, from localhost. And the action, or action-override, is nxdomain. With rpz-log enabled, verbosity 0 is enough to see that, or more. So verbosity does not matter. Best regards, Wouter On 02/02/2021 18:06, RayG wrote: > Hi Wouter, > > I am assuming that the RPZ issue I had on v1.13.0 is included in the fixes > but I could not see something that registered with me in the notes you put > out. > > Given that when I look at the URLHaus web site and pick a few names at random > from the list I do get an NXDOMAIN response from Unbound. > > I was expecting the when this happened I would see in the log file some > reference to the fact the NXDOMAIN was returned due to an RPZ entry? > > If this is correct what verbosity level is required to see the entries? > > Do you have any log examples to show it is working correctly please? > > rpz: # MyResponsePolicyZones.conf > name: "URLHaus" > zonefile: "C:\ProgramData\Unbound\Logs\urlhaus.zone" > url: "https://urlhaus.abuse.ch/downloads/rpz/"; > rpz-log: yes > rpz-log-name: "URLHausRPZ" > rpz-action-override: nxdomain > > Thanks > > RayG > > -----Original Message----- > From: RayG <rgs...@btinternet.com> > Sent: 02 February 2021 16:31 > To: 'Wouter Wijngaards' <wou...@nlnetlabs.nl>; unbound-us...@nlnetlabs.nl > Subject: RE: Unbound 1.13.1rc1 pre-release > > Hi Wouter, > > OK that seems to have fixed things - we are now running - lets see what > happens now... > > Thanks for the quick fixes. > > RayG > > -----Original Message----- > From: Wouter Wijngaards <wou...@nlnetlabs.nl> > Sent: 02 February 2021 16:27 > To: RayG <rgs...@btinternet.com>; unbound-us...@nlnetlabs.nl > Subject: Re: Unbound 1.13.1rc1 pre-release > > Hi RayG, > > Fixed this in the commit > https://github.com/NLnetLabs/unbound/commit/46939294710d24a37f9f838141f26e6b063b01f3 > > Thanks for the report! I updated the link with the installer to a new > installer with a root.key file that has the right contents. > www.nlnetlabs.nl/~wouter/unbound_setup_1.13.1_20210202.exe > www.nlnetlabs.nl/~wouter/unbound-1.13.1_20210202.zip > > Best regards, Wouter > > On 02/02/2021 16:38, RayG wrote: >> Hi Wouter, >> >> A bit further forward but it still will not run. >> >> The reason being that the root.key file has a zero length. It has the >> correct info when 1.13.0 is running. >> >> unbound_setup_1.13.1_20210202 corrupts the file. >> >> C:\Program Files\Unbound>unbound-checkconf.exe >> [1612280164] unbound-checkconf[9652:0] error: failed to read >> C:\Program Files\Unbound\root.key [1612280164] >> unbound-checkconf[9652:0] error: error reading auto-trust-anchor-file: >> C:\Program Files\Unbound\root.key [1612280164] unbound-checkconf[9652:0] >> error: validator: error in trustanchors config [1612280164] >> unbound-checkconf[9652:0] error: validator: could not apply configuration >> settings. >> [1612280164] unbound-checkconf[9652:0] fatal error: bad config for >> validator module >> >> 02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] >> notice: init module 0: respip >> 02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] >> notice: init module 1: validator >> 02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] >> error: failed to read C:\Program Files\Unbound\root.key >> 02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] >> error: error reading auto-trust-anchor-file: C:\Program >> Files\Unbound\root.key >> 02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] >> error: validator: error in trustanchors config >> 02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] error: >> validator: could not apply configuration settings. >> 02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] >> error: module init for module validator failed >> 02/02/2021 15:33:52 C:\Program Files\Unbound\unbound.exe[4548:0] fatal >> error: failed to setup modules >> >> RayG >> -----Original Message----- >> From: Wouter Wijngaards <wou...@nlnetlabs.nl> >> Sent: 02 February 2021 15:17 >> To: RayG <rgs...@btinternet.com>; unbound-us...@nlnetlabs.nl >> Subject: Re: Unbound 1.13.1rc1 pre-release >> >> Hi RayG, >> >> Here is a build for today's fix >> www.nlnetlabs.nl/~wouter/unbound_setup_1.13.1_20210202.exe >> www.nlnetlabs.nl/~wouter/unbound-1.13.1_20210202.zip >> and .asc pgp signature and .sha256 sum files. >> >> Best regards, Wouter >> >> On 02/02/2021 15:44, RayG wrote: >>> Hi Wouter, >>> >>> Thanks >>> >>> I'll have to wait until you next build the Windows installer. >>> >>> RayG >>> >>> -----Original Message----- >>> From: Wouter Wijngaards <wou...@nlnetlabs.nl> >>> Sent: 02 February 2021 14:09 >>> To: RayG <rgs...@btinternet.com>; unbound-us...@nlnetlabs.nl; >>> maintain...@nlnetlabs.nl >>> Subject: Re: Unbound 1.13.1rc1 pre-release >>> >>> Hi RayG, >>> >>> This seems to be because of a default stack protector in mingw. Fix >>> includes libssp in the libunbound/ directory of the zipfile, and >>> attempts to statically link with it in the unbound executable. It is >>> applied to the repository in commits >>> https://github.com/NLnetLabs/unbound/commit/aa8dfe94d31e11c19897444b9 >>> 5 >>> 5af6ac10aec1cd >>> https://github.com/NLnetLabs/unbound/commit/f9a1ac3f0b1a415d8085e113d >>> 4 >>> 4797e62c436a52 >>> https://github.com/NLnetLabs/unbound/commit/18840665bcbb28c9de07bc3b2 >>> 0 >>> 157a0dde13f8fd >>> >>> Best regards, Wouter >>> >>> On 02/02/2021 13:39, RayG wrote: >>>> V1.13.1rc1 will not run on Windows X64 (20H2) >>>> >>>> The error is: >>>> "the code execution cannot proceed because libssp-0.dll was not found" >>>> >>>> Reinstalling the application does not help, >>>> >>>> Reverting to v1.13.0 >>>> >>>> RayG >>>> -----Original Message----- >>>> From: Wouter Wijngaards <wou...@nlnetlabs.nl> >>>> Sent: 02 February 2021 07:47 >>>> To: unbound-us...@nlnetlabs.nl; maintain...@nlnetlabs.nl >>>> Subject: Unbound 1.13.1rc1 pre-release >>>> >>>> Hi, >>>> >>>> Unbound 1.13.1rc1 pre-release is available >>>> https://nlnetlabs.nl/downloads/unbound/unbound-1.13.1rc1.tar.gz >>>> sha256 >>>> c652c0a35165c97962f0cd503902b95096b3f3252d1bf9cefe5ab9e4910e4fec >>>> pgp >>>> https://nlnetlabs.nl/downloads/unbound/unbound-1.13.1rc1.tar.gz.asc >>>> >>>> >>>> This release contains a number of bug fixes. There is added support for >>>> the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID option >>>> (RFC 5001). Unbound control has added commands to enable and disable rpz >>>> processing. Reply callbacks have a start time passed to them that can be >>>> used to calculate time, these are callbacks for response processing. With >>>> the option serve-original-ttl the TTL served in responses is the original, >>>> not counted down, value, for when in front of authority service. >>>> >>>> Features >>>> - Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands >>>> to unbound-control. >>>> - Merge PR #391 from fhriley: Add start_time to reply callbacks so >>>> modules can compute the response time. >>>> - Fix #397: [Feature request] add new type always_null to local-zone >>>> similar to always_nxdomain. >>>> - Support for RFC5001: DNS Name Server Identifier (NSID) Option >>>> with the nsid: option in unbound.conf >>>> - Padding of queries and responses with DNS over TLS as specified in >>>> RFC7830 and RFC8467. >>>> - Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the >>>> original instead of a decrementing TTL ('serve-original-ttl') >>>> >>>> Bug Fixes >>>> - Fix #358: Squelch udp connect 'no route to host' errors on low >>>> verbosity. >>>> - Fix #360: for the additionally reported TCP Fast Open makes TCP >>>> connections fail, in that case we print a hint that this is >>>> happening with the error in the logs. >>>> - Fix #356: deadlock when listening tcp. >>>> - Fix unbound-dnstap-socket to not use log routine from interrupt >>>> handler and not print so frequently when invoked in sequence. >>>> - Fix on windows to ignore connection failure on UDP, unless verbose. >>>> - make depend. >>>> - Fix #371: unbound-control timeout when Unbound is not running. >>>> - Fix to squelch permission denied and other errors from remote host, >>>> they are logged at higher verbosity but not on low verbosity. >>>> - Merge PR #335 from fobser: Sprinkle in some static to prevent >>>> missing prototype warnings. >>>> - Merge PR #373 from fobser: Warning: arithmetic on a pointer to void >>>> is a GNU extension. >>>> - Fix missing prototypes in the code. >>>> - Fix error cases when udp-connect is set and send() returns an error >>>> (modified patch from Xin Li @delphij). >>>> - For #376: Fix that comm point event is not double removed or double >>>> added to event map. >>>> - iana portlist updated. >>>> - Fix #385: autoconf 2.70 impacts unbound build >>>> - Fix #379: zone loading over HTTP appears to have buffer issues. >>>> - Merge PR #395 from mptre: add missing null check. >>>> - Fix #387: client-subnet-always-forward seems to effectively bypass >>>> any caching? >>>> - For #391: use struct timeval* start_time for callback information. >>>> - For #391: fix indentation. >>>> - For #391: more double casts in python start time calculation. >>>> - Add comment documentation. >>>> - Fix clang analysis warning. >>>> - Fix so local zone types always_nodata and always_deny can be used >>>> from the config file. >>>> - Merge #399 from xiangbao227: The lock of lruhash table should >>>> unlocked after markdel entry. >>>> - Fix for #93: dynlibmodule link fix for Windows. >>>> - Fix for #93: dynlibmodule import library is named libunbound.dll.a. >>>> - Merge #402 from fobser: Implement IPv4-Embedded addresses according >>>> to RFC6052. >>>> - Fix #404: DNS query with small edns bufsize fail. >>>> - Fix declaration before statement and signed comparison warning in >>>> dns64. >>>> - Fix TTL of SOA record for negative answers (localzone and >>>> authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM. >>>> - Fix compile of unbound-dnstap-socket without dnstap installed. >>>> - Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor >>>> static data. >>>> - Ignore cache blacklisting when trying to reply with expired data from >>>> cache (#394). >>>> - Merge PR #408 from fobser: Prevent a few more yacc clashes. >>>> - Annotate that we ignore the return value of if_indextoname. >>>> - Fix to use correct type for label count in rpz routine. >>>> - Fix empty clause warning in config_file nsid parse. >>>> - Fix to use correct type for label count in ipdnametoaddr rpz routine. >>>> - Fix empty clause warning in edns pass for padding. >>>> - Fix for doxygen 1.8.20 compatibility. >>>> - Attempt to fix NULL keys in the reuse_tcp tree; relates to #411. >>>> >>>> >>>> Best regards, Wouter >>>> >>>> >>> >> > > >
