This is not at all obvious. I suggest that specifying -d -d -d should
override the verbosity: setting from the conf file, irrespective of
the order of the arguments.
I think I also got bitten by a changed default, where unbound no longer
reads the /etc/unbound/unbound.conf. That makes the unbound command kind
of hard to use. Why would someone use unbound-host without specifying
any conf file (and therefor any key) ?
There is a difference between:
unbound-host -d -d -d -C /etc/unbound/unbound.conf
This is not at all obvious. I suggest that specifying -d -d -d should
override the verbosity: setting from the conf file, irrespective of
the order of the arguments.
I think I also got bitten by a changed default, where unbound no longer
reads the /etc/unbound/unbound.conf. That makes the unbound command kind
of hard to use. Why would someone use unbound-host without specifying
any conf file (and therefor any key) ?
unbound-host never read the default config file.
unbound-host performs the whole recursive lookup (so, not like dig), and
can do the whole validation as well. Like you had a copy of the unbound
daemon inside it (which is how it works). So making that work on its
own is useful, because it is likely to work when your daemon (-s config
file) is broken.
But those were my assumptions. Other stuff could be more useful.
With the root getting signed, some way for unbound-host to find
a root key is useful. /etc/dnssec.root.key? /etc/dnssec.conf?
Should there be the same file for all validators on the machine? The
file format is likely an issue - as we already have different file
formats for:
* unbound 'plain zone format DS or DNSKEYs with ;comments allowed'
* autotrust or unbound 'rfc5011 state' files, like the above with
special ;comments. Slight difference between autotrust-original and the
unbound-imported, but compatible enough to switch from one to the other
(don't let them both fight over the same file at the same time).
* bind-style trusted-key{} clauses
* ... however the ISC folk go and store the 5011 state
* dig-sigchase-style 'single line with one DNSKEY only'
Otherwise, compiling the root key into unbound-host is an option.
Much like it uses compile-time root-hints (and nobody complains
about that) as default. To do that, you would need that trust-history
draft I keep pushing into the IETF (or some other solution) ...
I just got bitten by a similar issue to this. If the config file specified with
-C includes use-syslog:yes then unbound-host sends it output to syslog and not
to stderr as the -d option implies. It also severely DOSes your syslog
I suggest unbound-host to ignore/override this setting to use-syslog:no, or to
provide an option for this.
