Skip site navigation (1)Skip section navigation (2)


| raw e-mail | index | archive | help
Hello, I had a look at it and it appears people already thought of this:

# ls -l /var/unbound/
total 24
drwxr-xr-x  2 unbound unbound 512 Nov 10 07:07 conf.d
-rw-r--r--  1 root    unbound 193 Mar 27 07:25 control.conf
-rw-r--r--  1 root    unbound 223 Mar 27 07:25 forward.conf
-rw-r--r--  1 root    unbound 189 Mar 27 07:25 lan-zones.conf
-rw-r--r--  1 unbound unbound 758 Mar 27 07:25 root.key
-rw-r--r--  1 root    unbound 411 Mar 27 07:25 unbound.conf

In the conf.d directory I can put my customisations that get included
via unbound.conf

The only issue I found is that the logic in /etc/rc.d/local_unbound
script is a bit buggy.

With no config files in /var/unbound it generates correct config:

# sysrc local_unbound_enable=YES
# sysrc local_unbound_tls=YES
# sysrc local_unbound_forwarders="1.0.0.1@853#one.one.one.one 1.1.1.1@853#one.one.one.one"
# service local_unbound start
Performing initial setup.
destination: 
Extracting forwarders from /etc/resolv.conf.
/var/unbound/forward.conf created
/var/unbound/lan-zones.conf created
/var/unbound/control.conf created
/var/unbound/unbound.conf created
/etc/resolvconf.conf created
Original /etc/resolv.conf saved as /var/backups/resolv.conf.
20240327.070818 Starting local_unbound.

However if I later decide for example, to disable TLS:

# service local_unbound stop
# sysrc local_unbound_tls=NO
local_unbound_tls: YES -> NO
# service local_unbound start
Starting local_unbound.
Waiting for nameserver to start... good

No config files are updated and TLS is still enabled:

# cat /var/unbound/forward.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
        name: .
        forward-tls-upstream: yes
        forward-addr: 1.0.0.1@853#one.one.one.one
        forward-addr: 1.1.1.1@853#one.one.one.one

This is due to this function in /etc/rc.d/local_unbound which runs
setup only if unbound config file is missing.

local_unbound_prestart()
{
        # Create configuration file
        if [ ! -f ${local_unbound_config} ] ; then
                run_rc_command setup
        fi

        # Retrieve DNSSEC root key
        if [ ! -s ${local_unbound_anchor} ] ; then
                run_rc_command anchor
        fi
}

I guess the workaround is to "rm -f /var/unbound/*" after changes to
rc.conf






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>