Marcus, don't get me(us) wrong. Implement whatever suits you, I'm just against this code in upstream unbound. Ondrej Sury On 8.10.2009, at 16:24, Marcus Alves Grando <marcus at sbh.eng.br> wrote: > Hello, > > On 10/08/2009 05:15 AM, W.C.A. Wijngaards wrote: >> Hi Marcus, >> >> The patch code looks fine, but the problem is security for this. >> >> If you were to create a small program listening on port 12345 that >> runs next to your unbound servers, that flushes the zone when >> notified >> (using unbound-control on the local machine). evldns could be easy to >> build such a thing. Then direct the notifies to that other port >> number. >> Would that solve your issues in an architecturally sound manner? >> >> since ldns has some tsig functionality, that could then also be >> brought >> to bear to secure the situation properly. > > The main idea is create one way to recursive server keep all my zones > freshly, without update all process or less as possible. > > Implementing notify to unbound I don't need to change anything in > master > server, but need to respect RFC and not implement anything then > notify. > > Your manner, creating evldns daemon in another port is secureless too. > Yes, it's another port but notify does not include security option. If > same people discovery evldns port is the same thing as implement > notify > to unboud. > > I have no problem with evldns daemon and yes, it will be solve my > problem, but for me it's another thing to take care, create some way > to > keep running, another procedure in case of fail to our operators, etc. > > If you guys thing that notify is not a better way, I'll create evldns > daemon without problem, but for me it's a same thing. > > Best regards. > >> >> Best regards, >> Wouter >> >> On 10/07/2009 09:58 PM, Marcus Alves Grando wrote: >>> On 10/05/2009 03:55 PM, Marcus Alves Grando wrote: >>>> Hello guys, >>>> >>>> We started to test unbound in our internal DNS servers, but when >>>> has >>>> some zone update we need to wait until ttl expire to had a fresh >>>> information. To solve this problem I implemented NOTIFY part in >>>> unbound >>>> to flush qname in cache. >>>> >>>> I think that can be used in many cases, since most of times we >>>> need to >>>> propagate fast DNS modifications to our DNS internals. >>>> >>>> I need to implement acl yet (notify-access-control), but what >>>> maintainers think about? >>> >>> Complete version with acl attached. Need flex/bison to recreate >>> related >>> files. > > -- > Marcus Alves Grando > marcus(at)sbh.eng.br | Personal > mnag(at)FreeBSD.org | FreeBSD.org > _______________________________________________ > Unbound-users mailing list > Unbound-users at unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users