Unbound-control set_option domain-insecure:?

Hi,

I'm having some problems with (unbound 1.4.17):
unbound-control set_option domain-insecure: arm.gov.

If I do:
unbound-control reload
unbound-control set_option domain-insecure: arm.gov.

and then dig @127.0.0.1 ns arm.gov.

I get validation errors (and the dig query fails with SERVFAIL):
info: validation failure <arm.gov. NS IN>: no keys have a DS with algorithm RSASHA1-NSEC3-SHA1 from 192.101.109.47 for key arm.gov. while building chain of trust

But if I put:
domain-insecure: "arm.gov." into unbound.conf
and do unbound-control reload
and then try the query (dig @127.0.0.1 ns arm.gov.) it works just fine
(w/out validation)

Is there something obvious that I'm missing ?
(man unbound-control set_option doesn't list domain-insecure as working ?)

This "workaround" seems to work:
unbound-control stub_add +i arm.gov. 127.0.0.1; unbound-control \
  stub_remove arm.gov.
(but unbound-control get_option domain-insecure doesn't show arm.gov.
after this "workaround").

-Jarno

Hi Jarno,

Hi,

I'm having some problems with (unbound 1.4.17): unbound-control
set_option domain-insecure: arm.gov.

Yes set_option and get_option do not work with domain-insecure, like
it says on the man-page. The special code for the command stub_add,
that adds a domain-insecure works, so your workaround is fine.

The reason why it does not work, is that get_option and set_option are
basically using the same interface as 'libunbound' setoption and
getoption, however, the daemon is already running (unlike when the
functions are used with libunbound) and therefore it has already been
initialised. Options that are referenced at runtime work. Options
that are referenced by the initialisation code fail to work, because
the option value is changed but the code is not re-initialised when
you run unbound-control set_option.

Best regards,
   Wouter