unbound module: forward-zone generated incorrectly

[jasoncarr0]

Describe the bug
When generating a forward-zone, the new unbound module in 21.05 doesn't seem to generate valid syntax when using the example format:

The docs give the example to use:

      services.unbound.settings.forward-zone = [{
          name = ".";
          forward-addr = [ # Your current services.unbound.forwardAddresses ];
      }];

But doing this, with say forward-addr = [ "1.1.1.1" ];
results in this block for the forward-zone:

      forward-zone:
         forward-addr: 1.1.1.1
         name: .

which results in a syntax error from unbound apparently due to the missed indentation

A valid format would look like:

      forward-zone:
         name: "."
             forward-addr: 1.1.1.1

To Reproduce
Steps to reproduce the behavior:

1. Enable unbound and include the example forward-zone settings. Include some other settings which would appear after it (possibly unnecessary)
2. Start the system
3. Unbound.conf will fail to start, unbound-checkconf will report a syntax error on the next line after forward-zone

Expected behavior
The example code will produce a valid forward-zone block

Additional context
This build uses the fork from https://github.com/NixOS/nixpkgs/pull/124799/files because otherwise I couldn't even get to this point

Notify maintainers

@rissson

Metadata

• system: "x86_64-linux"
• host os: Linux 5.4.104, NixOS, 21.11pre-git (Porcupine)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.11
• channels(root): "nixos-21.05.906.cedcf2565c6"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module: unbound

[rissson]

I have something like this in my unbound configuration, so it's weird it's not working for you:

forward-zone:
  forward-addr: 45.90.28.0#61ba3a.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#61ba3a.dns1.nextdns.io
  forward-addr: 45.90.30.0#61ba3a.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#61ba3a.dns2.nextdns.io
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com
  forward-tls-upstream: yes
  name: .

I'm running Unbound 1.13.1, which is the latest version on 21.05.

[jasoncarr0]

Hmm,

I used your nixos fork so I have the exact same version.

Here's my unbound.conf with forward-zone. unbound-checkconf/unbound report a syntax error on line 21, on local-zone. This error doesn't seem to depend at all on which line is after forward-zone. It always reports the line after even if I have something else between it and local-zone

server:

  access-control: 127.0.0.0/24 allow
  access-control: 192.168.0.0/24 allow
  access-control: 192.168.1.0/24 allow
  auto-trust-anchor-file: /var/lib/unbound/root.key
  chroot: ""
  directory: /var/lib/unbound
  do-daemonize: no
  interface: 127.0.0.1
  interface: ::1
  ip-freebind: yes
  pidfile: ""
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  username: unbound
domain-insecure: "lan"
forward-zone:
  forward-addr: 1.1.1.1
  name: .

local-zone: "lan." static
remote-control:
  control-cert-file: /var/lib/unbound/unbound_control.pem
  control-enable: no
  control-interface: 127.0.0.1
  control-interface: ::1
  control-key-file: /var/lib/unbound/unbound_control.key
  server-cert-file: /var/lib/unbound/unbound_server.pem
  server-key-file: /var/lib/unbound/unbound_server.key

When I remove the forward-zone directive from nixpkgs i get:

server:

  access-control: 127.0.0.0/24 allow
  access-control: 192.168.0.0/24 allow
  access-control: 192.168.1.0/24 allow
  auto-trust-anchor-file: /var/lib/unbound/root.key
  chroot: ""
  directory: /var/lib/unbound
  do-daemonize: no
  interface: 127.0.0.1
  interface: ::1
  ip-freebind: yes
  pidfile: ""
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  username: unbound
domain-insecure: "lan"

local-zone: "lan." static
remote-control:
  control-cert-file: /var/lib/unbound/unbound_control.pem
  control-enable: no
  control-interface: 127.0.0.1
  control-interface: ::1
  control-key-file: /var/lib/unbound/unbound_control.key
  server-cert-file: /var/lib/unbound/unbound_server.pem
  server-key-file: /var/lib/unbound/unbound_server.key

which is accepted by unbound

Although I notice 1.1.1.1 is different from your entries, I see the same syntax error if replaced with 1.1.1.1@853#cloudflare-dns.com as you have it

[rissson]

Do you mind sharing your services.unbound config so I can debug this further?

[jasoncarr0]

Ah, whoops that would have been a smart thing to share immediately 😄

I've stripped out instead of commented some items which I ended up removing for debugging purposes. E.g. local-data is actually used for a pi-hole-esque blocklist

{
  services.unbound = {
    enable = true;
    settings.server.access-control = [
      "127.0.0.0/24 allow"
      "192.168.0.0/24 allow"
      "192.168.1.0/24 allow"
    ];

    settings.forward-zone = [{
      name = ".";
      forward-addr = [
        "1.1.1.1@853#cloudflare-dns.com"
      ];
    }];
    settings.domain-insecure = [ "\"lan\""];
    settings.local-zone = [
      "\"lan.\" static"
    ];
    settings.local-data = [
    ];
  };
}

[rissson]

Right, I got it. local-zone, local-data, and domain-insecure options should be part of the server clause.

[jasoncarr0]

Ah interesting. That's some wonky parsing behavior unbound's got then that it accepts them sometimes in other places

[rissson]

Closing this then.