Maintained by: NLnet Labs

[Unbound-users] unbound + nsd: acl to only allow non-recursive requests?

Jiri Bohac
Tue Feb 11 11:53:31 CET 2014


Hi Wouter, 

On Tue, Feb 11, 2014 at 09:37:27AM +0100, W.C.A. Wijngaards wrote:
> > On 2014-02-10, at 16:17, Jiri Bohac <jiri at boha.cz> wrote:
> 
> The options are called deny_non_local and refuse_non_local.  They
> differ in what you want them to do with the disallowed
> non-authoritative queries (drop or refuse, refuse is nicer and is more
> like a regular authority server).

I looked at the patch, but that only adds acl options  for local
zones.  My authoritative zones are served by a locally running
NSD (on a nonstandard port) that unbound uses through a stub
zone.

Do you think adding another two options, e.g.
	deny_non_stub
	refuse_non_stub
would make sense?

Or perhaps changing
	deny_non_stub to deny_non_recursive
	and
	refuse_non_stub to refuse_non_recursive
... and differentiating based on the DR bit of the request,
instead of the zone? 

I can make, test and post the patches.

Thanks,

-- 
Jiri Bohac
e-mail/jabber: jiri at boha.cz