Maintained by: NLnet Labs

[Unbound-users] NOTIFY implementation to unbound

Ondřej Surý
Tue Oct 13 22:11:57 CEST 2009


On Tue, Oct 13, 2009 at 20:53, Greg A. Woods <woods at planix.ca> wrote:
> At Thu, 8 Oct 2009 10:41:20 -0400 (EDT), Paul Wouters <paul at xelerance.com> wrote:
> Subject: Re: [Unbound-users] NOTIFY implementation to unbound
>>
>> On Thu, 8 Oct 2009, Marcus Alves Grando wrote:
>>
>> > The main idea is create one way to recursive server keep all my zones
>> > freshly, without update all process or less as possible.
>>
>> Would using a forward zone address this?
>>
>> # Forward zones
>> # Create entries like below, to make all queries for 'example.com' and
>> # 'example.org' go to the given list of servers. These servers have to handle
>> # recursion to other nameservers. List zero or more nameservers by hostname
>> # or by ipaddress. Use an entry with name "." to forward all queries.
>> # forward-zone:
>> #     name: "example.com"
>> #     forward-addr: 192.0.2.68
>> #     forward-addr: 192.0.2.73 at 5355  # forward to port 5355.
>>
>> The description does not make it clear whether or not the responses are
>> always forwarded, or whether they are cached.
>
> I've been wondering the same thing for a long time now.  I think based
> on my experience with one site where I've set up unbound using
> forward-addr they are cached, which would-be/is (IMHO) wrong.

Why?

I don't consider this wrong - Unbound is full caching resolver and not
just stub resolver. I guess it could be per forward option, but it's
not wrong.

> Ultimately though I like the NOTIFY solution best.

And it's direct violation of RFC1996. I wouldn't call it "solution",
but a "hack". While I consider it to be fine for Marcus (it's his
network after all), I would be extremely unhappy to see this in
unbound upstream.

> Sites converting from BIND will already be using NOTIFY.

Eh? Could you point me to the bind9 documentation saying that Bind9
will flush the cache if it receives notify?

> The so-called "security" issue for NOTIFY is a bunch of FUD-mongering.
> There are several ways to make sure unauthorised NOTIFY messages don't
> cause any harm.

And there are several ways how to make it compliant with existing
protocols, there were several mentioned and I am adding another one:

Configure snmptrapd with action to call unbound-control flushcache and
trigger SNMP trap when zone changes.

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/