At Thu, 8 Oct 2009 10:41:20 -0400 (EDT), Paul Wouters <paul at xelerance.com> wrote: Subject: Re: [Unbound-users] NOTIFY implementation to unbound > > On Thu, 8 Oct 2009, Marcus Alves Grando wrote: > > > The main idea is create one way to recursive server keep all my zones > > freshly, without update all process or less as possible. > > Would using a forward zone address this? > > # Forward zones > # Create entries like below, to make all queries for 'example.com' and > # 'example.org' go to the given list of servers. These servers have to handle > # recursion to other nameservers. List zero or more nameservers by hostname > # or by ipaddress. Use an entry with name "." to forward all queries. > # forward-zone: > # name: "example.com" > # forward-addr: 192.0.2.68 > # forward-addr: 192.0.2.73 at 5355 # forward to port 5355. > > The description does not make it clear whether or not the responses are > always forwarded, or whether they are cached. I've been wondering the same thing for a long time now. I think based on my experience with one site where I've set up unbound using forward-addr they are cached, which would-be/is (IMHO) wrong. Ultimately though I like the NOTIFY solution best. Sites converting from BIND will already be using NOTIFY. The so-called "security" issue for NOTIFY is a bunch of FUD-mongering. There are several ways to make sure unauthorised NOTIFY messages don't cause any harm. -- Greg A. Woods +1 416 218-0098 VE3TCP RoboHack <woods at robohack.ca> Planix, Inc. <woods at planix.com> Secrets of the Weird <woods at weird.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20091013/f8eb3f13/attachment.pgp>