unbound sample config for RFC7706

nusenu nusenu-lists at riseup.net
Fri Nov 30 13:23:00 UTC 2018

ѽ҉ᶬḳ℠ via Unbound-users:
> On 30.11.2018 11:59, nusenu wrote:
>> I did send an example unbound config for review to the DNSOP mailing list:
>> https://mailarchive.ietf.org/arch/msg/dnsop/KLJFVjgALzvjZY0F0aZjFhE60LQ

Let's paste the sample config from above URL for convenience: 

> auth-zone:
> 	name: "."
> 	master: "b.root-servers.net"
> 	master: "c.root-servers.net"
> 	master: "d.root-servers.net"
> 	master: "f.root-servers.net"
> 	master: "g.root-servers.net"
> 	master: "k.root-servers.net"
>       fallback-enabled: yes
>   	for-downstream: no
>   	for-upstream: yes
>  	zonefile: "root.zone"

> The sample is using URL instead of ip addresses and thus have to be resolved 
> first. Should not the relevant ip being stated instead?

This sample uses unbounds "master" directive with hostnames instead of IP addresses
with the following motivation/reasoning:

- it is unlikely that operators will update that config sample once they added it
- root server hostnames are expected to change less often (ever?) than their IP addresses
- unbound ships builtin hints data

Open question:
If a lot of operators deploy above sample, will b.root-servers.net have to handle most requests
or will unbound choose a random/the fastest server? (we should avoid putting all the load on one)

Unbound also supports zone transfer with the "url" config directive. 
Using "url" you could fetch it from:



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181130/702a8888/attachment.bin>

More information about the Unbound-users mailing list