about unbound and systemd units
Joe Abley
jabley at hopcount.ca
Sat Nov 17 16:40:16 UTC 2018
On Nov 17, 2018, at 17:57, Eric Luehrsen via Unbound-users
<unbound-users at nlnetlabs.nl> wrote:
> If Unbound is running and therefore
> doing its RFC5011 work, then don't run unbound-anchor.
These seem like good words.
The one possible wrinkle is that it's not enough for inbound to run to
do 5011; it needs to run over period that exceeds the hold-down timer
(section 2.2). So knowing that inbound is doing its RFC 5011 work is
more complicated than knowing that it is running.
The whole business of trust anchor bootstrap is long overdue for
rethinking. The current mechanisms meet particular use-cases but, I
think it's fair to say, are widely considered to be less than
adequate. This is work that I hope to pick up again in the dnsop wg,
following the less than universally-loved
draft-jabley-dnsop-validator-bootstrap.
Joe
More information about the Unbound-users
mailing list