RFE: max-refresh-time/min-refresh-time

Eric Luehrsen ericluehrsen at gmail.com
Mon Jul 27 21:34:44 UTC 2020

On 7/27/20 5:13 PM, Andrew Forgue via Unbound-users wrote:
> Hi there,
> Would it be possible to add a min/max refresh time when using auth-zone from the upstream?  We're trying to move some stuff from BIND (which supports it) to Unbound and use this in a few cases (usually with a pathological upstream or upstream we don't control) but doesn't seem supported.
> It it possible, or is there another way to accomplish a more frequent refresh-time for a zone?
> -Andrew

This would also be useful if caching an entire zone which is many GB 
like "com". Not that a residential or small office install should do 
this. Small ISP may benefit from both preventing errant updates less 
than an hour and ensuring a clean download every day or two. In general 
for all resolvers, good authoritative zone pre-cache controls will be 
necessary for wider adoption of DNSSEC and DANE. Round trips for 
signatures and validation can be costly to user experience when on fly.


Note: DANE has an obvious hurdle to get over. The naughty certificate 
providers that it bypasses (and so fixes) have an interest in protecting 
certificate fees they collect. Even when those fees are for certificates 
to zones they don't have a business relationship with. [ 

More information about the Unbound-users mailing list