Maintained by: NLnet Labs

[Unbound-users] NOTIFY implementation to unbound

Ondřej Surý
Thu Oct 8 23:30:00 CEST 2009


Marcus, don't get me(us) wrong. Implement whatever suits you, I'm just  
against this code in upstream unbound.

Ondrej Sury

On 8.10.2009, at 16:24, Marcus Alves Grando <marcus at sbh.eng.br> wrote:

> Hello,
>
> On 10/08/2009 05:15 AM, W.C.A. Wijngaards wrote:
>> Hi Marcus,
>>
>> The patch code looks fine, but the problem is security for this.
>>
>> If you were to create a small program listening on port 12345 that
>> runs next to your unbound servers, that flushes the zone when  
>> notified
>> (using unbound-control on the local machine). evldns could be easy to
>> build such a thing.  Then direct the notifies to that other port  
>> number.
>> Would that solve your issues in an architecturally sound manner?
>>
>> since ldns has some tsig functionality, that could then also be  
>> brought
>> to bear to secure the situation properly.
>
> The main idea is create one way to recursive server keep all my zones
> freshly, without update all process or less as possible.
>
> Implementing notify to unbound I don't need to change anything in  
> master
> server, but need to respect RFC and not implement anything then  
> notify.
>
> Your manner, creating evldns daemon in another port is secureless too.
> Yes, it's another port but notify does not include security option. If
> same people discovery evldns port is the same thing as implement  
> notify
> to unboud.
>
> I have no problem with evldns daemon and yes, it will be solve my
> problem, but for me it's another thing to take care, create some way  
> to
> keep running, another procedure in case of fail to our operators, etc.
>
> If you guys thing that notify is not a better way, I'll create evldns
> daemon without problem, but for me it's a same thing.
>
> Best regards.
>
>>
>> Best regards,
>>   Wouter
>>
>> On 10/07/2009 09:58 PM, Marcus Alves Grando wrote:
>>> On 10/05/2009 03:55 PM, Marcus Alves Grando wrote:
>>>> Hello guys,
>>>>
>>>> We started to test unbound in our internal DNS servers, but when  
>>>> has
>>>> some zone update we need to wait until ttl expire to had a fresh
>>>> information. To solve this problem I implemented NOTIFY part in  
>>>> unbound
>>>> to flush qname in cache.
>>>>
>>>> I think that can be used in many cases, since most of times we  
>>>> need to
>>>> propagate fast DNS modifications to our DNS internals.
>>>>
>>>> I need to implement acl yet (notify-access-control), but what
>>>> maintainers think about?
>>>
>>> Complete version with acl attached. Need flex/bison to recreate  
>>> related
>>> files.
>
> -- 
> Marcus Alves Grando
> marcus(at)sbh.eng.br | Personal
> mnag(at)FreeBSD.org  | FreeBSD.org
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users