<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Ariel;
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Thanks for the tip regarding unbound-control. I assume the initial start still has to be via the systemctl script. I Bring up this point since for the teams I support they need DNS to be available much quicker during bootstrap. I will dig
deeper into this as well. Thanks again.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Freya Kalin <tri-mate@yandex.com><br>
<b>Date: </b>Friday, September 6, 2019 at 6:09 AM<br>
<b>To: </b>"Guevara, Daniel" <Daniel_Guevara@intuit.com><br>
<b>Cc: </b>"unbound-users@nlnetlabs.nl" <unbound-users@nlnetlabs.nl><br>
<b>Subject: </b>Re: Unbound stop root server lookup<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div style="border:solid #FFDC00 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FFDC00"><span style="font-size:10.0pt;font-family:"Ariel",serif;color:#0072C6">This email is from an external sender.
<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Yes, it is truly annoying to operate unbound in a non-Internet or firewall-restricted environment.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Every start/restart takes ~2 minutes on my CentOS box. Even though I provide the root-hints to unbound as a file, it still wants to contact the root nameservers during startup.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I've found better results with unbound-control reload. It does something similar to restart or kill -9 + start, I am not aware of the exact difference tho.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">It reloads unbound in a few seconds even in a restricted environment.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Additionally, nowhere in the documentation does it say what I need to do when I update the root.hints file, reload or restart ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">05.09.2019, 23:58, "Joe Abley via Unbound-users" <unbound-users@nlnetlabs.nl>:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>Hi Daniel,<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> On Sep 5, 2019, at 16:23, Guevara, Daniel via Unbound-users <<a href="mailto:unbound-users@nlnetlabs.nl">unbound-users@nlnetlabs.nl</a>> wrote:<br>
<br>
Rather than putting rules for all 26 root servers (both udp and tcp on port 53), it was easier for me to test by allowing all outbound (0.0.0.0/0) on port 53.<o:p></o:p></p>
</blockquote>
<p><br>
A minor correction; 13 root servers but 26 root server addresses (each<br>
currently has one IPv4 and one IPv6 address).<br>
<br>
Note also that the root servers are not the only things you need to be<br>
able to reach if you want your nameserver to operate with full<br>
recursive lookups and you want to be able to resolve things outside<br>
the root, arpa and root-servers.net zones.<br>
<br>
<br>
Joe<o:p></o:p></p>
</blockquote>
</div>
</div>
</body>
</html>