[Unbound-users] unbound + nsd: acl to only allow non-recursive requests?

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Feb 11 08:37:27 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jiri,

On 02/10/2014 10:41 PM, Joe Abley wrote:
> 
> On 2014-02-10, at 16:17, Jiri Bohac <jiri at boha.cz> wrote:
> 
>> I'm trying to replace my bind server with unbound + nsd. My DNS
>> server works both as authoritative for a few zones and also as a
>> recursive resolver for a few subnets.
> 
> How about planning to run unbound and NSD independently, each bound
> to different addresses? You'll need to renumber your nameserver in
> the appropriate registries, but if there are only a few zones
> involved, that seems unlikely to be difficult.
> 
> Your life will get easier in the long run if you treat recursive
> and authoritative DNS as separate, independent services.

The options are called deny_non_local and refuse_non_local.  They
differ in what you want them to do with the disallowed
non-authoritative queries (drop or refuse, refuse is nicer and is more
like a regular authority server).

The version with this patch has not yet been released, you'll have to
wait for the next release or get the source from the svn (trunk).

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS+eFDAAoJEJ9vHC1+BF+NqQgQAIvxrlJhGlevzduJaXILFZlr
eUVUbAlvOHnOdaxXdrWX2oA6qBdwumlOyVeRNY+V+4aGBK/JZMdEC0XF92pX/Lr8
9Mq+nFMoPQY5Gtxad/SHzxxmPzWAPepZ/PMhMfEbj0ni2be7wlcfO1jwVR7M1lzp
35QJdeTYAwD/bUVcOE42rV/HzVPEHtYh7djuxmxxcPJ35BHTraBFLqQ/u4Dm8zup
73ewk/dQdLcpT1r/JMyG/ylFlKZDnSgCOX/Tgy/8C9qpBaPTW99Sgdk13bUfjinB
BZZt5YlpRhqEF06TMoHIFlOSUVlqauUT2oZRFtTP4QaFbXAYSKgRXlyknTp8OFnW
g4yGqib/iuK727rplCAH6c52eEpQiPLn54MeyK3oW71X11N8Mnqj2sOvxQRIEv8w
SARN7tqVzQ9tqyGbV6eTKB84n8H75grbaN+LlWlZ7pK0B/J82OgSV4xRYkbR7WT1
FiVblcko7sC5KRM4DGF59KuPfGN6ZEWsxcas8hwiZ4LY//y9dI7rbDJmE96O9QEG
9db3uju8cuTHzF9/nZnp72mMjMxXKxH/2SNF96SRRejW4Hfzgobe9DUt7PVJqhqW
jTQtIlamoGN995wF1W4x676ekMv+rmtN5831BcNq5bb47+e57qc35hvnTix79+8+
e8NZ3nv7H1UfzI0idNdR
=SnOf
-----END PGP SIGNATURE-----



More information about the Unbound-users mailing list