Control: severity -1 wishlist
Control: tag -1 confirmed
27.04.2022 16:48, ceddral wrote:
Package: unbound
Version: 1.15.0-4
Severity: normal
X-Debbugs-Cc: debian...@ceddral.org
Dear Maintainer,
unbound package upgrade introduced a default config to enable remote-control
via tcp socket.
Can you tell please which version did you upgrade from?
Please note that before, unbound in Debian had a patch
to secretly enable remote-control socket which by default
is tcp. In this release I just made it explicit instead of
doing it secretly.
Please change the default config to use a unix socket and avoid
the attack surface of a tcp socket with ssl authentication. e.g.:
remote-control:
control-enable: yes
control-interface: /var/lib/unbound/control.socket
Actually it was my thought to enable control socket (I'm not
sure /var/lib/unbound is a good place for it, /run sounds
better but I need to check if it works when unbound is
chrooted.
unbound.postinst generates the ssl certificates for quite a
long time, these probably should go away too. And we'd better
check if unbound-control-setup script does the right thing.
So I thought I'd keep it the way it were for a long time.
And the most important is that it is the upstream default
for control socket. Maybe we should specify it in the
config file the way I did it in this release.
Thanks,
/mjt
