Unbound and RPZ

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Mon Dec 18 13:50:42 UTC 2023 

Hi Francis,

Welcome! Some quick notes from my part, inline.

Best regards,
-- Yorgos

On 18/12/2023 10:08, Francis Turner via Unbound-users wrote:
> Hi Everyone,
> 
> I’m a brand new user of the mailing list. I work for ThreatSTOP which 
> makes RPZ’s available on a variety of DNS platforms.
> 
> Recently we’ve been asked to support unbound.
> 
> Several years ago I looked at this and, at the time, there was no way to 
> use a TSIG key to secure zone transfers and looking at the documentation 
> today that seems to still be the case.
Indeed, although adding TSIG support for zone transfers is part of our 
plans.

> 
> I have an ubuntu based example server running that I am able to get RPZ 
> into by means of an external shell script that does a dig and sed 
> pipeline. Is this the preferred method? And/or has someone got clear 
> documentation on how to do this better?
> 
> I will be happy to contribute my example configs (and RPZ update script) 
> back to the project if there are no better ones around.
> 
> I have two questions, assuming that the shell script method is the 
> correct approach
> 
>  1. Once I have updated the rpz zonefile, should I use “unbound-control
>     reload” to get the new RPZ in or is there a better alternative
>     (auth_zone_reload )?
Reloading just that one zone is better time-wise.
Based on the contents of the RPZ zone itself (the kind of triggers it 
uses, in particular rpz-nsdname and rpz-nsip since these will access 
records already in the cache), also emptying the cache through a regular 
reload may be what you need instead.

>  2. I think I’m correct that unbound-control log_reopen should be called
>     in the postrotate stanza of a logroate.d config ?
If you specify your own configuration file then yes.
If not, then logs are directed to the syslog which should be rotated 
automatically.

> 
> Thanks in advance for any and all assistance
> 
> Regards
> 
> Francis
> 
> *Francis Turner *
> 
> Threat STOP Global SE
> 
> JP Cell: +81-8080404701 | US Cell: +1-760-402-7676
> 
> Office: +1-760-542-1550 | Line: francisturner
> 
> francis at threatstop.com <mailto:francis at threatstop.com> | 
> www.threatstop.com <http://www.threatstop.com/>
> 
> *Weaponize Your Threat Intelligence***
> 
> “If You Don’t Build It, They Definitely Will Not Come” – P. Vixie
>

More information about the Unbound-users mailing list