Maintained by: NLnet Labs

[Unbound-users] NOTIFY implementation to unbound

W.C.A. Wijngaards
Thu Oct 8 10:15:35 CEST 2009


Hi Marcus,

The patch code looks fine, but the problem is security for this.

If you were to create a small program listening on port 12345 that
runs next to your unbound servers, that flushes the zone when notified 
(using unbound-control on the local machine). evldns could be easy to
build such a thing.  Then direct the notifies to that other port number.
Would that solve your issues in an architecturally sound manner?

since ldns has some tsig functionality, that could then also be brought 
to bear to secure the situation properly.

Best regards,
    Wouter

On 10/07/2009 09:58 PM, Marcus Alves Grando wrote:
> On 10/05/2009 03:55 PM, Marcus Alves Grando wrote:
>> Hello guys,
>>
>> We started to test unbound in our internal DNS servers, but when has
>> some zone update we need to wait until ttl expire to had a fresh
>> information. To solve this problem I implemented NOTIFY part in unbound
>> to flush qname in cache.
>>
>> I think that can be used in many cases, since most of times we need to
>> propagate fast DNS modifications to our DNS internals.
>>
>> I need to implement acl yet (notify-access-control), but what
>> maintainers think about?
>
> Complete version with acl attached. Need flex/bison to recreate related
> files.