[Swan-dev] setting libunbound options
Štěpán Brož
stepan at izitra.cz
Tue Jan 29 12:18:18 UTC 2019
Hello,
I have spent some time playing with libunbound in libreswan, and while
I found the ability to change logging verbosity and logfile directly
in the /etc/unbound/unbound.conf file without the need to rebuild
libreswan quite handy for debug purposes, there are some downsides in
using it:
- The use of /etc/unbound/unbound.conf does require a change to
SELinux policy itself, and so does opening a non-standard logfile,
etc.
- When "unbound" DNS server would be co-located with libreswan on a
single host, using the server's configuration file for libreswan may
bring undesired side effects.
And regarding "outgoing-port-permit" and "outgoing-port-avoid"
settings, those configuration options are being read by the DNS server
application only (in daemon.c), the library does not respect those
neither from the unbound.conf file, or setting them directly using
ub_ctx_set_option(). A code change in libunbound would be required. I
have tested this using unbound-libs-1.7.3, but couldn't find a
relevant change in more recent versions either. Random UDP src ports
are selected manually in the code, it is not the OS assigning those.
If you need some unbound configuration options, set them directly via
the API. If those options should be user-configurable, appropriate
configuration options should be introduced to ipsec.conf in my
opinion.
Respectfully,
Stepan
More information about the Swan-dev
mailing list