Maintained by: NLnet Labs

[Unbound-users] NOTIFY implementation to unbound

Greg A. Woods
Tue Oct 13 20:53:24 CEST 2009


At Thu, 8 Oct 2009 10:41:20 -0400 (EDT), Paul Wouters <paul at xelerance.com> wrote:
Subject: Re: [Unbound-users] NOTIFY implementation to unbound
> 
> On Thu, 8 Oct 2009, Marcus Alves Grando wrote:
> 
> > The main idea is create one way to recursive server keep all my zones
> > freshly, without update all process or less as possible.
> 
> Would using a forward zone address this?
> 
> # Forward zones
> # Create entries like below, to make all queries for 'example.com' and
> # 'example.org' go to the given list of servers. These servers have to handle
> # recursion to other nameservers. List zero or more nameservers by hostname
> # or by ipaddress. Use an entry with name "." to forward all queries.
> # forward-zone:
> # 	name: "example.com"
> # 	forward-addr: 192.0.2.68
> # 	forward-addr: 192.0.2.73 at 5355  # forward to port 5355.
> 
> The description does not make it clear whether or not the responses are
> always forwarded, or whether they are cached.

I've been wondering the same thing for a long time now.  I think based
on my experience with one site where I've set up unbound using
forward-addr they are cached, which would-be/is (IMHO) wrong.

Ultimately though I like the NOTIFY solution best.

Sites converting from BIND will already be using NOTIFY.

The so-called "security" issue for NOTIFY is a bunch of FUD-mongering.
There are several ways to make sure unauthorised NOTIFY messages don't
cause any harm.

-- 
						Greg A. Woods

+1 416 218-0098                VE3TCP          RoboHack <woods at robohack.ca>
Planix, Inc. <woods at planix.com>      Secrets of the Weird <woods at weird.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20091013/f8eb3f13/attachment.pgp>