Caching in libunbound

Paul Wouters paul at nohats.ca
Thu Mar 21 09:17:36 UTC 2019


On Thu, 21 Mar 2019, Rick van Rein via Unbound-users wrote:

> I am using libunbound for DANE-based realm-crossover for Kerberos.  This
> requires the KDC to map hosts to realms via DNSSEC, but otherwise it is
> just a wrapper around the KDC,
> https://github.com/arpa2/kxover/tree/tls-based-attempt

neat!

> 1.
> Does libunbound cache like an Unbound server would, for the duration of
> the TTL if the program does not exit before?

Yes.

> 2.
> The KDC and my daemon each use libunbound.  Does that mean they each
> have their own cache, and if so, is there a way to combine their storage
> and validation efforts?

If your want to trust your system unbound, don't do validation yourself
and check the AD bit? If you want to do validation in the app for
security, then you cannot trust the unbound daemon's validation. So I
am not quite sure what you are asking for.

>  I could speedup lookups with an Unbound daemon
> behind libunbound, but that'd give three caches and three independent
> validations!

Everything on localhost could use the unbound daemon on 127.0.0.1 as
forwarder, so it would use its cache. You will still have some duplicate
cache, but at least no additional latency since it is all local after
the unbound daemon put the data in its cache.

Paul



More information about the Unbound-users mailing list