RFE: max-refresh-time/min-refresh-time
Eric Luehrsen
ericluehrsen at gmail.com
Mon Jul 27 21:34:44 UTC 2020
On 7/27/20 5:13 PM, Andrew Forgue via Unbound-users wrote:
> Hi there,
>
> Would it be possible to add a min/max refresh time when using auth-zone from the upstream? We're trying to move some stuff from BIND (which supports it) to Unbound and use this in a few cases (usually with a pathological upstream or upstream we don't control) but doesn't seem supported.
>
> It it possible, or is there another way to accomplish a more frequent refresh-time for a zone?
>
> -Andrew
This would also be useful if caching an entire zone which is many GB
like "com". Not that a residential or small office install should do
this. Small ISP may benefit from both preventing errant updates less
than an hour and ensuring a clean download every day or two. In general
for all resolvers, good authoritative zone pre-cache controls will be
necessary for wider adoption of DNSSEC and DANE. Round trips for
signatures and validation can be costly to user experience when on fly.
-Eric
Note: DANE has an obvious hurdle to get over. The naughty certificate
providers that it bypasses (and so fixes) have an interest in protecting
certificate fees they collect. Even when those fees are for certificates
to zones they don't have a business relationship with. [
https://www.bankinfosecurity.com/study-finds-custom-market-for-bogus-tls-certificates-a-10680
]
More information about the Unbound-users
mailing list