Unbound fails to parse config if DNS Query Forwarding and custom options are enabled

Fry-kun

If DNS Query Forwarding is enabled, custom options may not work (config parsing error is reported)

Config example (error):

# Forwarding
forward-zone:
        name: "." 
        forward-tls-upstream: yes
        forward-addr: 8.8.8.8@853
        forward-addr: 8.8.4.4@853

# Unbound custom options
log-servfail: yes

Config example (good):

# Unbound custom options
log-servfail: yes

# Forwarding
forward-zone:
        name: "." 
        forward-tls-upstream: yes
        forward-addr: 8.8.8.8@853
        forward-addr: 8.8.4.4@853

For some weird reason order matters.. and the web UI orders them in the wrong way :(

Filed https://redmine.pfsense.org/issues/11263, will see if that gets fixed

johnpoz

Are you putting in the server: entry in the custom option box that needs to be there?

Fry-kun

Looks like that's exactly what was missing :(

I hope the devs can add some help text near that section, feels like I already had this problem before (my other config includes "server:" prefix line)

johnpoz

That's prob not a bad idea, I could see how that might not be obvious..

Gertjan

Because their are many option, a link to the doc should be best as it covers all the options:

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

   Server Options
       These options are part of the server: clause.
.....
.....
      log-servfail: <yes or no>
              Print log lines that say why queries return SERVFAIL to clients.
              This is separate from the verbosity debug  logs,  much  smaller,
              and printed at the error level, not the info level of debug info
              from verbosity.

johnpoz

I think he means it should maybe have a note by the custom option box that server: is a required entry..

Fry-kun

In simplest form, something like "Section headers are required, see <doc link>." would help a lot.

Gertjan

It's no a link, but half way the Services > DNS Resolver > General Settings we find :

the info is out in the world : pfSense uses 'unbound' as the Resolver. It's said. That should ring a bell.
Probably for space reasons, pfSense doesn't include man pages.
But : throwing in "unbound.conf(5)" into your favourite browser will show as the first proposition : the official unbound config file doc.

If, at that moment, the reader doesn't know that config files uses some formatting, like the known (?) windows INI files, then the "custom options" just shouldn't be used at all.

A red text with : "Know what you are doing" would also be very appropriate here ;)

But isn't such a phrase always applicable ? So no need to show that neither ....

The manual :

doesn't link to the unbound man pages neither. Happy enough, some of us see the format right away :
It's

server:

and not, for example,

[server]

but I presume here that the user should know what a 'section' is. Or, as unbound (NLLabs) calls them : 'clauses'.

The "Custom options" box exists, but it seems like Netgate/pfSense doesn't want you to actually use it (as then they have to support it ?) . That will open a new can of worms.

Anyway, this is just me thinking out loud.

johnpoz

@gertjan said in Unbound fails to parse config if DNS Query Forwarding and custom options are enabled:

A red text with : "Know what you are doing" would also be very appropriate here ;)

Dude I'm dying.. hehehehehe ROFL... Yeah that should really be everywhere in blinking red text ;) hehehehehehehe