On 2022-01-05 16:28:21 +0100, Vincent Lefevre wrote:
> On 2022-01-05 16:12:52 +0100, Andrej Shadura wrote:
> > unbound (1.5.7-2) unstable; urgency=medium
> >
> > * debian/rules: Disable the resolvconf update.d hook by default
> >
> > I guess this is it. No idea why, no explanation.
>
> Probably. In any case, having the hook script installed, but silently
> disabled will confuse many people!
>
> But I don't see why it should be disabled: if the users do not want
> the DHCP-provided servers as a fallback, they can just configure the
> DHCP client not to accept these servers.
/usr/share/doc/unbound/NEWS.Debian.gz, in 2016:
The resolvconf update.d hook can be problematic, especially if the
upstream nameservers do not perform DNSSEC validation, or if a
"forward-zone" declaration for the root zone has been statically
configured by the administrator. In previous versions, the hook was
enabled by default, but it is now disabled by default. It can be
explicitly enabled by running "chmod +x /etc/resolvconf/update.d/unbound".
But I don't understand. The upstream nameservers are supposed to be
used as a fallback. Even if upstream nameservers do not perform DNSSEC
validation, this is still better than a failure when DNSSEC is not
required.
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
