[Unbound-users] combining python + 2 iterator modules

Petr Spacek pspacek at redhat.com
Thu Jan 22 17:00:26 UTC 2015

On 22.1.2015 10:37, Yuri Schaeffer wrote:
> Hi Petr,
>> I would like to know if it is possible to somehow combine 1 custom 
>> python module with two instances of iterator modules (with different
>> configurations).
> I don't see a way to do that within a reasonable amount of work. Might I
> suggest sharing the problem you are trying to solve with the list, rather
> than your solution?

The purpose of this exercise is to help with DNSSEC validation on roaming
machines & support DNS split views at the same time.

Fundamental assumption:
Internal & external DNS view are both signed or both unsigned.

It should work like this:
1) Probing/preparation when client connects to a network:
Client probes if servers advertised by DHCP support DNSSEC:
a) If DHCP-advertised servers *do support* DNSSEC -> use them for
everything, do full validation.
b) If DHCP-advertised servers *do not support* DNSSEC:
- Find a hole in firewall so we can contact DNS servers on public Internet.

2) Query processing for cases where local servers do not support DNSSEC:
- Do recursion and validation using external DNS servers.
a) If result is SECURE -> return result.
b) If result is provably INSECURE -> query local servers advertised by DHCP
and return whatever they returned.

This algorithm covers DNS split-views with internal unsigned views pretty
nicely as long as the fundamental assumption holds.

Thank you for any implementation advice!

Petr Spacek  @  Red Hat

More information about the Unbound-users mailing list