Maintained by: NLnet Labs

ipsechook and unbound-checkconf

W.C.A. Wijngaards
Mon Jul 3 09:15:32 CEST 2017

Hi Paul,

Thanks!  Fixed to check it only if ipsecmod is enabled and present in

Best regards, Wouter

On 02/07/17 13:57, Paul Wouters via Unbound-users wrote:
> Hi,
> The unbound-checkconf code checks for the ipsecmod hook to exist:
>     check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook,
> cfg->chrootdir
> ,
>          cfg);
> I want to ship unbound with the ipsecmod module enabled via the
> modules line, but activated via unbound-control. This means that
> the unbound.conf needs no changes when switching from regular mode
> to the mode where it uses the ipsec module for lookups. Currently,
> the ipsecmod hook is checked for, but if people don't have libreswan
> installed, unbound-checkconf fails, and with the systemd service,
> it means unbound won't start.
> I've patched this check out to prevent this.
> Paul
> ps. minor nit: you should rename check_chroot_string() if you use
> it for multiple things, one of which does not involve chroot :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>