-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Casey,
On 01/22/2014 10:18 AM, Casey Stone wrote: > I previously posted about Unbound seemingly not observing the > forward-zone settings in my setup (unbound version 1.4.19 on Ubuntu > 13.04 server). My reason for using the forward-zone directive in > unbound.conf is to forward all requests through dnscrypt-proxy > running on the localhost: > > forward-zone: name: "." forward-addr: 127.0.0.2 > > I received no feedback from this list so I also posted on > dnscrypt-proxy github page ( > https://github.com/jedisct1/dnscrypt-proxy/issues/19 ) where > thankfully a fellow affected individual, Simon, posted his > solution. > > This could be a BUG in UNBOUND ... the solution is unbound.conf > MUST explicitly turn off remote control (neither of us was using > remote control): > > remote-control: control-enable: no > > Simply not including control-enable in the unbound.conf is not > sufficient. More documentation/discussion of the issue, setup, and > solution is available on the above mentioned github page. Thanks for sharing this back here. I see in the logfiles on the github page that: Sep 17 04:28:06 unbound[10138:0] debug: new control connection from ip4 127.0.0.1 port 50815 (len 16) Sep 17 04:28:06 unbound[10138:0] debug: comm point stop listening 12 Sep 17 04:28:06 unbound[10138:0] debug: comm point start listening 12 Sep 17 04:28:06 unbound[10138:0] debug: remote control connection authenticated Sep 17 04:28:06 unbound[10138:0] info: control cmd: forward off It seems something else is running and calling "unbound-control forward off". This would disable your configured forward-zone statement at run time. Setting control-enable: no causes this unbound-control sequence to be ignored (because you disallow remote-control in unbound.conf). (are you running dnssec-trigger? Uninstall it because you want to manually configure where queries go) So, it is not so much a bug in control-enable, there is some program on the machine that calls unbound-control forward off and that is the 'root cause'. Or at least, a step close to a root cause for not having the unbound configuration you want. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS35i2AAoJEJ9vHC1+BF+NiE8P/RHC3572NnLS8/BZ/F31Jfle JWoAj/Jjy1mwkYesU4RARF62099+OtatBhwU7irGXdc0ROllcE6zCc6M1z4+Buku Run/9ez/9cs5/CACo7UkXTlND8u0BvG0vNcd8HBqn7E7YEZDe/l3jecxPauzdFwK Elnlkcm0t2lK1AFO2RrjbPzFEnut9sP5HggMCpBKdpEHOZeW/DiW6E1oTjuIZnMW BiIzuMQ8f3Sc3ARkvqFLalsSeyUGzq2co+TdH/F36l2U14M6JeNeMX1TkESjZnqo /7LTwD1DJIBbCW7D7YIfSEoe++b+eCMqR9BKb4Fr2NhY9nEYlGKVodhJU1fIhK7m Wvm/EGe3fQXwDIOOJTT5l90F+0Mt+mGyuRBsPtKZPRvcWVFbBgvuCj0K+/RJgg9j EcN7BW6NsNJ7kBRZd0rTVIZIvzQoCbqlR86qWSuxBdWvzfwFds4Sgaa9QsCxDra0 x6Z3yFubBOwftgV5vBCbFlm8dO5LPTzh0z9xGCs1KeE2GEpEKW9lywzVagUHfX7z 3jtTqFZ8NcrCOKE8GmQkuueycfOkwD50i1BIJCvYK+KeWs+u0ly2BGkfOmLedY4q FF0rFOtGBaBLvYPt0dDFMQY/b4913XWY086PYg/GjL59oIyo8ApnnApzR8Tsi3vg U+IjDPyJgu57FNV/hHy5 =g5td -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
