Unbound and RPZ
Francis Turner
francis at threatstop.com
Mon Dec 18 09:08:08 UTC 2023
Hi Everyone,
I'm a brand new user of the mailing list. I work for ThreatSTOP which makes RPZ's available on a variety of DNS platforms.
Recently we've been asked to support unbound.
Several years ago I looked at this and, at the time, there was no way to use a TSIG key to secure zone transfers and looking at the documentation today that seems to still be the case.
I have an ubuntu based example server running that I am able to get RPZ into by means of an external shell script that does a dig and sed pipeline. Is this the preferred method? And/or has someone got clear documentation on how to do this better?
I will be happy to contribute my example configs (and RPZ update script) back to the project if there are no better ones around.
I have two questions, assuming that the shell script method is the correct approach
1. Once I have updated the rpz zonefile, should I use "unbound-control reload" to get the new RPZ in or is there a better alternative (auth_zone_reload )?
2. I think I'm correct that unbound-control log_reopen should be called in the postrotate stanza of a logroate.d config ?
Thanks in advance for any and all assistance
Regards
Francis
Francis Turner
Threat STOP Global SE
JP Cell: +81-8080404701 | US Cell: +1-760-402-7676
Office: +1-760-542-1550 | Line: francisturner
francis at threatstop.com<mailto:francis at threatstop.com> | www.threatstop.com<http://www.threatstop.com/>
Weaponize Your Threat Intelligence
"If You Don't Build It, They Definitely Will Not Come" - P. Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20231218/802cc20a/attachment.htm>
More information about the Unbound-users
mailing list