Bug 681 - Setting forwarders with "unbound-control forward ...." implicitly turns on forward-first
Setting forwarders with "unbound-control forward ...." implicitly turns on fo...
Product: unbound
Classification: Unclassified
Component: server
All All
: P5 normal
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2015-07-08 12:04 CEST by Kim Vandry
Modified: 2015-07-09 11:46 CEST (History)
3 users (show)

See Also:

set forward-first to off instead of on on unbound-control forward ... (247 bytes, patch)
2015-07-08 12:04 CEST, Kim Vandry
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kim Vandry 2015-07-08 12:04:52 CEST
Created attachment 287 [details]
set forward-first to off instead of on on unbound-control forward ...

When using forwarders, the default setting for "forward-first" is "off", which means that Unbound will *not* fall back to processing queries without using the forwarders and instead just reply SERVFAIL in case all of the forwarders are unreachable.

If forwarders are reconfigured using

    unbound-control forward x.y.x.w a.b.c.d

of using

    unbound-control forward_add . e.f.g.h

then the added forwarders implicitly activate forward-first behaviour, even if it was configured off before.

Contrast the way forwarders are added when they are seen in the configuration file:

    iterator/iter_fwd.c line 267 in read_forwards()

    dp->has_parent_side_NS = (uint8_t)!s->isfirst;

(has_parent_side_NS is TRUE in the normal case that forward-first is FALSE).

Versus the way forwarders are added when they come from unbound-control:

    daemon/remote.c functions parse_delegpt()

    dp->has_parent_side_NS is never set so it is FALSE by default.

I believe this is unexpected for users: the default value for forward-first is off, so users will not expect is to be implicitly turned on through use of unbound-control.

I have prepared a (very simple!) patch to force forward-first to off on the forwarders that are set by unbound-control. I believe this is makes for a better default, but it is not ideal since there is still no way to control it.

I defer to the developers' opinion for the best way to change this:

(1) provide a way to configure the forward-first setting on or off via unbound-control
(2) attempt to preserve the current setting of forward-first when setting new forwarders via unbound-control
(3) ???
Comment 1 Wouter Wijngaards 2015-07-09 11:46:38 CEST
Hi Kim,

Thank you for the patch, applied.  I think the patch is the best solution.  People that want forward_first can set this in unbound.conf; and unbound-control options are not needed at this time, because few people need the forward_first option.  (otherwise some sort of +f option for unbound-control).  Also I think the new default is better.

Best regards,