Bug #4407
closed
unbound advanced settings broken
0%
Description
Same symptom as https://redmine.pfsense.org/issues/4090, but a different reason:
When domain overrides are set, any custom option will break the unbound.conf (syntax error). This happens, because custom unbound options are written to unbound.conf after domain overrides which apparently isn't legal (the options are probably interpreted as stub-domain parameter).
Moving {$custom_options} in /etc/inc/unbound.inc BEFORE all includes fixes the problem.
Updated by Phillip Davis over 9 years ago
If you have a patch change that works, it will be very easy for the devs if you make the edit at https://github.com/pfsense and submit a pull request.
That will save someone else working out exactly where is the place to move custom_options.
Updated by Kill Bill over 9 years ago
What advanced settings? This is just not true in general. Prefix the custom options with server: as noted on the bug you linked. I have many domain overrides, placing stuff like
server: harden-below-nxdomain: yes
into advanced settings works perfectly fine and breaks nothing.
Updated by Andreas Pflug over 9 years ago
In my case, I need do-not-query-localhost: no set.
Updated by Andreas Pflug over 9 years ago
Kill Bill wrote:
What advanced settings? This is just not true in general. Prefix the custom options with server: as noted on the bug you linked. I have many domain overrides, placing stuff like
[...]
into advanced settings works perfectly fine and breaks nothing.
Ok, taken from your example, I found that adding server: makes the config working again. This is fine if you know it, but appears as quite a pitfall to me. Moving the custom option generation as suggested would make any option appear under the server section automatically, just as it is without domain/host overrides.
Updated by Kill Bill over 9 years ago
Andreas Pflug wrote:
Moving the custom option generation as suggested would make any option appear under the server section automatically, just as it is without domain/host overrides.
How does that fix anything? The server: clause is not the place for different kind of things, like the stub zone and forward zone options, which need to go under stub-zone: and forward-zone: clauses, respectively.
Updated by Kill Bill over 9 years ago
Can we please append a link to unbound.conf(5) manpage (https://www.unbound.net/documentation/unbound.conf.html) with a note to stick any advanced options under appropriate clause? Like, after the "Enter any additional configuration parameters to add to the DNS Resolver configuration here, separated by a newline" text below the General Settings - Advanced box... (Users should know what they are doing with advanced stuff, or just not use it at all.)
Updated by Andreas Pflug over 9 years ago
Kill Bill wrote:
The server: clause is not the place for different kind of things, like the stub zone and forward zone options, which need to go under stub-zone: and forward-zone: clauses, respectively.
I don't question that. But currently, a single custom option is generated under an arbitrary zone. It might be server: if no overrides are present, might be stub-zone: , or something different.
Generating it before other includes would make the server: section default, with the possibility to override it later.
Updated by Chris Buechler over 9 years ago
- Status changed from New to Rejected
nothing is broken, just have to put things in correctly. added #4411 to add input validation at some point to prevent foot-shooting.