Package: unbound Version: 1.6.0-3+deb9u2 Severity: important tl;dr: unbound's include: path/*.conf does not use a stable, sorted ordering of matching files, so Debian's /etc/unbound/unbound.conf does not load parts from /etc/unbound/unbound.conf.d ditto.
tl;dr;workaround: flatten config parts with dependencies into the depended-upon file, or use explicit include: statements to load them from that file. The latter seemed to require absolute paths when I tried it, but maybe I was doing it rong. Debian installs an /etc/unbound.conf which, in keeping with common Debian practice, is designed to gather most of the configuration from conf files in /etc/unbound.conf.d (this is not the setup that upstream teaches). As a long-time Debian user, I was pleased to see this, and proceeded to make use of the facility, splitting the config for two local "zones" into separate files, with some common local-zone config in a third one. By luck, the files happened to be loaded in the proper order when I tested all this on a spare machine... and I thought it was because the *.conf files were being loaded in the usual sorted order that other Debian packages with a config.d setup use. When I copied (and modified) the local setup to another machine for actual use, however, I learned that unbound does NOT process included files in this sensible, predictable order. Instead, they take the trouble to apply the GLOB_UNSORTED flag to the glob() call, resulting in behavior which is surprising for parts in a config.d in Debian. Since (as best I can make out), the whole unbound.conf.d is entirely a Debian addition, to make unbound fit better into Debian conventions, I think it's important to make it work consistently with Debian conventions, or at least to add a warning about the unexpected random loading order that the current [stable/stretch] unbound.conf has for those conf files. The unwanted flag is set in unbind's util/config_file.c, and that was as deep as I dug into this before flattening the config to get it going. Thanks! -- System Information: Debian Release: 9.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-0.bpo.5-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages unbound depends on: ii adduser 3.115 ii dns-root-data 2019031302~deb9u1 ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u4 ii libevent-2.0-5 2.0.21-stable-3 ii libfstrm0 0.3.0-1 ii libprotobuf-c1 1.2.1-2 ii libpython3.5 3.5.3-1+deb9u1 ii libssl1.1 1.1.0j-1~deb9u1 ii openssl 1.1.0j-1~deb9u1 ii unbound-anchor 1.6.0-3+deb9u2 unbound recommends no packages. Versions of packages unbound suggests: ii apparmor 2.11.0-3+deb9u2 -- no debconf information
