Trusted upstream resolver
davew at hireahit.com
Tue Nov 3 21:04:39 UTC 2015
On 2015-11-03 05:57, W.C.A. Wijngaards via Unbound-users wrote:
> No, there is no option to disable the CNAME checks. The trust in the
> other nameserver is by the way not enough reason to have used such an
> option, it is protection against inserted spoofed packets here that
> has mandated the checks.
I'm having trouble wrapping my head around this one, why are CNAMEs
different in regards to spoofing?
I understand why the resolver wants to do sanity-checking, but are these
records more vulnerable to spoofing than in the general case of trusting
an upstream resolver implicitly?
> Consider enabling prefetch: yes (and prefetch-key: yes) in
> unbound.conf, for commonly asked queries that will make it prefetch a
> couple seconds before expiry to refresh the cache entry, and that
> should be enough to hide this latency for a larger number of queries.
When I was in a similar situation a few months back, prefetching made a
*big* difference. However, only for names that are accessed by multiple
clients. There were cases where one client was frequently accessing the
same resource (but no others) and these still expired without getting
prefetched due to the client side caching.
Such is life.
> Another option, but less desirable, is cache-min-ttl where you can
> force entries to stay in the cache for a longer time (i.e. that CNAME
> was from a CDN with very short TTLs).
Within a very reasonable ceiling. Perhaps 300 seconds might be the
largest cache-min-TTL that one might consider.
More information about the Unbound-users