Bug #6072


Unbound: Advanced options does not work

Added by Grischa Zengel over 5 years ago. Updated over 5 years ago.

Not a Bug
DNS Resolver
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


If you put "access-control: allow" into advanced, unbound didn't start with:

/var/unbound/unbound.conf:93: error: syntax error
read /var/unbound/unbound.conf failed: 1 errors in configuration file
[1459797986] unbound[43260:0] fatal error: Could not read config file: /var/unbound/unbound.conf

If you edit unbound.conf and put "access-control: allow" bevor "include: /var/unbound/domainoverrides.conf" it works.

Actions #1

Updated by Chris Buechler over 5 years ago

  • Status changed from New to Not a Bug
  • Target version deleted (2.3.1)
  • Affected Version deleted (2.2.x)

Not seeing a problem here. Yeah that doesn't work as it's not valid. If you try to add that in a config where it will fail, you end up with:

The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
/var/unbound/test/unbound.conf:89: error: syntax error
read /var/unbound/test/unbound.conf failed: 1 errors in configuration file

and cannot save the config.

Regardless, this is addressed with #6073.

Actions #2

Updated by Grischa Zengel over 5 years ago

  1. With 2.2.x you won't see this error. Unbound even won't start.
  2. "access-control: allow" is an right command and works until you config Domain Overrides.

The problem is, the order of the commands.

For testing:
  1. Take a plain pfsense
  2. add custom options (in 2.2.x advanced options): harden-dnssec-stripped: yes
    • You can apply, it works and you didn't get an error
  3. configure Domain Overrides
    • Now apply - unbound crashes, but you didn't see an error
    • Press save again and you get an error

The problem is the section. It changes for the custom options from server to stub-zone if you add Domain Overrides.

Who knows this?

My suggestion:
  1. Put the custom options in front of include domainoverrides.conf.
    • domainoverrides changes the section by its own, so nothing happens if there a section changes inside the custom options.
  2. Why didn't I see the crash after adding the Domain Overrides? There is no error detection if no save button pressed.
  3. Put a note under the custom options field, that the commands are always in server: section and the section can be changed by user with keywords.
Actions #3

Updated by Grischa Zengel over 5 years ago

I thought about this a second time:

To avoid any confusion with this setting put always a "server:" in front of custom settings.


Also available in: Atom PDF