Maintained by: NLnet Labs

[Unbound-users] Feature Request for Unbound: Orientation

Paul Wouters
Thu Sep 15 21:34:42 CEST 2011


On Wed, 14 Sep 2011, Ed - 0x1b, Inc. wrote:

> I have a feature request for Unbound: Orientation
>
> Could Unbound use the same DNSSEC methods that confirm the root name
> servers to also confirm that an authoritative server on the local
> network segment is affirmatively authoritative, private or fqdn?  What
> this tells me is that my system knows for certain that it is in a
> particular network and domain. If so, it can change the firewall rules
> and run services as well as scripts for synchronization, etc...  These
> are all things I would only want to do if I were on my own network. Or
> maybe I would want to do them differently depending on my system's
> network/domain orientation. This is a question more and more systems
> will face, and I think Unbound can be the best way to know where one
> is in these networks.
>
> As a bonus, if Unbound could communicate the system's orientation by
> way of D-bus it would be even more useful.  [re: systemd?]

I think it would be more the other way around (as Wouter has been
experimenting with using dnssec-trigger). NetworkManager/DBus determines
your network, and reconfigured unbound appropriately.

Perhaps you can do something with unbound-anchor for your private keys,
but in the end, anyone that can replay dnssec data can "pretend" to be
your secure network, so DNS is not a good meassurement.

Paul