Maintained by: NLnet Labs

[Unbound-users] unbound + nsd: acl to only allow non-recursive requests?

W.C.A. Wijngaards
Tue Feb 11 13:47:47 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jiri,

On 02/11/2014 11:53 AM, Jiri Bohac wrote:
> Hi Wouter,
> 
> On Tue, Feb 11, 2014 at 09:37:27AM +0100, W.C.A. Wijngaards wrote:
>>> On 2014-02-10, at 16:17, Jiri Bohac <jiri at boha.cz> wrote:

I would like to say that Joe Abley's advice is a very good, and you
should see if you can do that.  That would likely be a better setup.
If not, let's talk about unbound configuration.

>> The options are called deny_non_local and refuse_non_local.
>> They differ in what you want them to do with the disallowed 
>> non-authoritative queries (drop or refuse, refuse is nicer and is
>> more like a regular authority server).
> 
> I looked at the patch, but that only adds acl options  for local 
> zones.  My authoritative zones are served by a locally running NSD
> (on a nonstandard port) that unbound uses through a stub zone.

Yes I see.  That would need some sort of patch.  Please reconsider
Joe's set up, which is what is recommended by DNS Operations RFCs.

> Do you think adding another two options, e.g. deny_non_stub 
> refuse_non_stub would make sense?
> 
> Or perhaps changing deny_non_stub to deny_non_recursive and 
> refuse_non_stub to refuse_non_recursive ... and differentiating
> based on the DR bit of the request, instead of the zone?

Don't differentiate based on the +RD bit.  Because authority servers
should respond to +RD requests.  So this would create a flawed
authority server.

> 
> I can make, test and post the patches.

What you could make is some sort of configuration option for the
local-zone directive, that is much like the deny_non_local, but allows
these servers to only query that specific zone and not other zones...
 Not sure how to do this cleanly.  Patches can be stored in unbound's
contrib directory in the source, to benefit others with similar issues.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS+hvzAAoJEJ9vHC1+BF+NJswQAJTnbsW3T1is5N+8quRiM0d2
bvgRz+e7han8vt1/MmpsuLEM0LKByJ80UNoedqt0NJwE9R48j6MjCxWqf3xi074T
82mF80Su6EoDINnqWkvlrtY6C+U6tEdVgvltupdGzCJR/n/0Bf5aue0ZBMAg6f/3
OX+hXhbR6f/q86faWpv+sHqOAESzdYFYpFov0dlk7cCkpp562MDGvizXg8ML/oGx
iRfgAMOpF6ABXoeVEuONr+YL5WmH4H40aEDDhpNQ3AS6zXw0T7AmzysxFNMvG+OM
UEuOh+gSteGEMe7SWUNKOfgyzRbEFdKh995e39ZMruHb0SlIRntlKHXV58ssLatS
WL3tgCXFOQeAawfmXw8COcjfs/rEKWDeQr0Yoj6lr+qH5MjsrZJkyNndG1zigcFj
R21a1fH5HwXciMuomhvr0ApHSC9HIbOYHsxN1an9ccfCR+5xos5ELXCHs5U8THhe
RVhHFxzbTNPnJFA/ZaCWHRN/mfxpoqiEN27ufP1uXpMQ49davk/19lH3+wKeOKiC
31BF8hOuXXh/zQURkbwYU24zPRQjmX6YikpvHIJUvNOzFKHX9h58LTMH23X4/4gS
Ji6sFRiMqCYQlzvI/LEKjyXo+dpuAz2i1wbr9phHxap/Yv3SaeekllXXeBH/feJP
SXdKU5WPrcC6vuHbnc4/
=XE1X
-----END PGP SIGNATURE-----