Bug 2159186

Summary: [RFE] Add --enable-dnscrypt to unbound compilation options
Product: [Fedora] Fedora Reporter: Ryan Quinn <quinn.rm>
Component: unboundAssignee: Paul Wouters <paul.wouters>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 37CC: aegorenkov.91, akhaitovich, paul.wouters, pemensik, pj.pandit
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-13 23:36:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Quinn 2023-01-09 05:53:12 UTC 
Description of problem:

Unbound isn't configured with the '--enable-dnscrypt' compilation option.

Unbound has the ability to act as a DNSCrypt server, but the feature needs to be enabled via the '--enable-dnscrypt' compilation option.

Version-Release number of selected component (if applicable):

unbound-1.17.0-1.fc37

How reproducible:

100%

Steps to Reproduce:
1. Configure Unbound source without '--enable-dnscrypt'.
2. Build Unbound.
3. Install Unbound.
4. unbound -V | grep -i dnscrypt

Actual results:

./configure \
    --build=x86_64-redhat-linux-gnu \
    --host=x86_64-redhat-linux-gnu \
    --program-prefix= \
    --disable-dependency-tracking \
    --prefix=/usr \
    --exec-prefix=/usr \
    --bindir=/usr/bin \
    --sbindir=/usr/sbin \
    --sysconfdir=/etc \
    --datadir=/usr/share \
    --includedir=/usr/include \
    --libdir=/usr/lib64 \
    --libexecdir=/usr/libexec \
    --localstatedir=/var \
    --sharedstatedir=/var/lib \
    --mandir=/usr/share/man \
    --infodir=/usr/share/info \
    --with-pythonmodule \
    --with-pyunbound PYTHON=/usr/bin/python3 \
    --enable-dnstap \
    --with-libnghttp2 \
    --with-libevent \
    --with-pthreads \
    --with-ssl \
    --disable-rpath \
    --disable-static \
    --enable-relro-now \
    --enable-pie \
    --enable-subnet \
    --enable-ipsecmod \
    --with-conf-file=/etc/unbound/unbound.conf \
    --with-pidfile=/run/unbound/unbound.pid \
    --enable-sha2 \
    --disable-gost \
    --enable-ecdsa \
    --with-rootkey-file=/var/lib/unbound/root.key \
    --enable-linux-ip-local-port-range \
&& make && make install

$ unbound -V | grep -i dnscrypt
$

Expected results:

./configure --enable-dnscrypt \
    --build=x86_64-redhat-linux-gnu \
    --host=x86_64-redhat-linux-gnu \
    --program-prefix= \
    --disable-dependency-tracking \
    --prefix=/usr \
    --exec-prefix=/usr \
    --bindir=/usr/bin \
    --sbindir=/usr/sbin \
    --sysconfdir=/etc \
    --datadir=/usr/share \
    --includedir=/usr/include \
    --libdir=/usr/lib64 \
    --libexecdir=/usr/libexec \
    --localstatedir=/var \
    --sharedstatedir=/var/lib \
    --mandir=/usr/share/man \
    --infodir=/usr/share/info \
    --with-pythonmodule \
    --with-pyunbound PYTHON=/usr/bin/python3 \
    --enable-dnstap \
    --with-libnghttp2 \
    --with-libevent \
    --with-pthreads \
    --with-ssl \
    --disable-rpath \
    --disable-static \
    --enable-relro-now \
    --enable-pie \
    --enable-subnet \
    --enable-ipsecmod \
    --with-conf-file=/etc/unbound/unbound.conf \
    --with-pidfile=/run/unbound/unbound.pid \
    --enable-sha2 \
    --disable-gost \
    --enable-ecdsa \
    --with-rootkey-file=/var/lib/unbound/root.key \
    --enable-linux-ip-local-port-range \
&& make && make install

$ unbound -V | grep -i dnscrypt
Configure line: ... --enable-dnscrypt ...
DNSCrypt feature available
$

Additional info:

With DNSCrypt enabled in Unbound, there wouldn't be a need to setup a separate DNSCrypt service. Unbound could do everything itself after the feature is enabled!

Even when compiled into the program, Unbound's DNSCrypt feature isn't enabled by default, and Unbound's behavior wouldn't change unless DNSCrypt is enabled in the config file.

This would introduce a dependency on 'libsodium', so I would understand if this isn't desirable.
Comment 1 Paul Wouters 2023-01-13 23:36:49 UTC 
Yes the requirement for libsodium is a deal breaker.

Honestly, with  DoT, DoH, DoQ et all, the dnscrypt protocol is really legacy.