Maintained by: NLnet Labs

[Unbound-users] Unbound as an "authoritative" cache?

Jan-Piet Mens
Thu Feb 7 08:37:35 CET 2008


On Wed Feb 06 2008 at 19:34:58 CET, Jim Jackson wrote:

> For security purposes it is highly recommended that caching and 
> authoritative servers be separate servers. Combining the two seems to be in 
> conflict with the idea of small fast secure servers.

Oh, absolutely. 

>                                                      Isn't this proposal 
> just “feature creep” towards being just another Bind server that is all 
> things to all people?

I don't think so.

> What would happen to NSD ? Would it be relegated to being just a slave 
> server? Or would it just go away?

NSD has nothing to do with this discussion, and NSD certainly does *not*
need a cache in front of it: it is fast enough :-)

> It is possible to run unbound and NSD on the same hardware with different 
> IP's thus avoiding cache poisoning. Putting both the authoritative and 
> caching server in one program would defeat the the security wall of 
> separate servers.

I'm not talking of NSD. I'm talking of slow servers with a database
backend (e.g. BIND-SDB). This can be used as an authoritative server,
but it lacks in performance. My proposal is to put a fast cache before
servers of its kind, having the cache answer authoritatively. 

Obviously one can put an slave NSD or a slave BIND (or whatever else)
and have them perform AXFR from the slower backend server, but the
problem is always how the slaves are informed of new/removed zones.
Getting the front-end authoritative cache to determine "electrically"
which zones exist, seems a good idea.

        -JP