[Unbound-users] NOTIFY implementation to unbound
ondrej at sury.org
Tue Oct 13 20:11:57 UTC 2009
On Tue, Oct 13, 2009 at 20:53, Greg A. Woods <woods at planix.ca> wrote:
> At Thu, 8 Oct 2009 10:41:20 -0400 (EDT), Paul Wouters <paul at xelerance.com> wrote:
> Subject: Re: [Unbound-users] NOTIFY implementation to unbound
>> On Thu, 8 Oct 2009, Marcus Alves Grando wrote:
>> > The main idea is create one way to recursive server keep all my zones
>> > freshly, without update all process or less as possible.
>> Would using a forward zone address this?
>> # Forward zones
>> # Create entries like below, to make all queries for 'example.com' and
>> # 'example.org' go to the given list of servers. These servers have to handle
>> # recursion to other nameservers. List zero or more nameservers by hostname
>> # or by ipaddress. Use an entry with name "." to forward all queries.
>> # forward-zone:
>> # name: "example.com"
>> # forward-addr: 192.0.2.68
>> # forward-addr: 192.0.2.73 at 5355 # forward to port 5355.
>> The description does not make it clear whether or not the responses are
>> always forwarded, or whether they are cached.
> I've been wondering the same thing for a long time now. I think based
> on my experience with one site where I've set up unbound using
> forward-addr they are cached, which would-be/is (IMHO) wrong.
I don't consider this wrong - Unbound is full caching resolver and not
just stub resolver. I guess it could be per forward option, but it's
> Ultimately though I like the NOTIFY solution best.
And it's direct violation of RFC1996. I wouldn't call it "solution",
but a "hack". While I consider it to be fine for Marcus (it's his
network after all), I would be extremely unhappy to see this in
> Sites converting from BIND will already be using NOTIFY.
Eh? Could you point me to the bind9 documentation saying that Bind9
will flush the cache if it receives notify?
> The so-called "security" issue for NOTIFY is a bunch of FUD-mongering.
> There are several ways to make sure unauthorised NOTIFY messages don't
> cause any harm.
And there are several ways how to make it compliant with existing
protocols, there were several mentioned and I am adding another one:
Configure snmptrapd with action to call unbound-control flushcache and
trigger SNMP trap when zone changes.
Ondřej Surý <ondrej at sury.org>
More information about the Unbound-users