Maintained by: NLnet Labs

[Unbound-users] Issuing multiple commands over the control channel

Alexander Clouter
Mon Mar 8 17:08:34 CET 2010


Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
> I am wondering if it's possible to issue >1 command over the SSL control 
> channel? Specifically "flush" commands for >1 host. I might want to 
> flush anything from 1-1000 specific hosts from the cache (most commonly 
> 2-10) every few minutes.
>
...well if all your DDNS stuff is not in your 'main' zone[1] then you 
could just use 'flush_zone' instead.

> I am considering a move away from this model, and was initially 
> reluctant to look at unbound because of the difficulty of maintaining 
> this stealth slave. However it then occurred to me that I could simply 
> "flush" the changed names inside the master update process, since I 
> know what they are.
>
We use BIND9 (pulling from LDAP) for our hidden primary, and shovel our 
external view zone to...well yourself and the internal view to two 
internal instances of NSD3.  These run on the same boxes as unbound, 
they give our internal clients recursive action, fronted by some Cisco 
IOS SLB action.

The NSD3 daemons are IXFRing so always have the latest copy of 
hosts.soas.ac.uk and unbound has a bunch of 'stub-zone' steering them at 
localhost (also to deal with the DNS view issue for our regular zones 
too).

<shameless-plug>
See me at Networkshop 38 showing just this! :)
</shameless-plug>

I'm yet to start calling regularly 'flush_zone', but it is on my todo 
list.

Cheers

[1] we have no DDNS entries in 'soas.ac.uk', however we do use it for
	'hosts.soas.ac.uk'
 
-- 
Alexander Clouter
.sigmonster says: This PIZZA symbolizes my COMPLETE EMOTIONAL RECOVERY!!