Maintained by: NLnet Labs

[Unbound-users] combining python + 2 iterator modules

Petr Spacek
Fri Jan 23 12:19:54 CET 2015


On 23.1.2015 11:52, Yuri Schaeffer wrote:
> Hi Petr,
> 
> I think Paul makes an excellent point. Also, having this 'internal

Let me clarify my design goals:
1) Get a reliable DNSSEC validator for roaming clients.
2) It has to handle DNS split views.
3) It can *not* rely on untrusted information (like DHCP search lists etc.)
4) It can *not* rely on explicit configuration from user or network administrator.

This is of course a huge hack but to me it seems as an inevitable hack if we
want to deploy DNSSEC validators everywhere.

BTW Fedora 22 (to be finished around May 2015) is planned to contain DNSSEC
validator in every installation so it can't possibly rely on manual
configuration just to make DNS working again (if local network is broken).

> view' in your local Unbound cache seems less than ideal for roaming
> users.

I did not describe implementation details in depth. One of details is that
cache should be flushed after configuration change. This (theoretical) module
should be used along with dnssec-trigger or similar system which will handle
cache maintenance as necessary.

(BTW an option to flush only unsigned records from cache would be a nice thing
to have.)

>> This algorithm covers DNS split-views with internal unsigned views
>> pretty nicely as long as the fundamental assumption holds.
> 
> If it doesn't, your DNS problems get again a little harder to debug.
> At this point I have no suggestion for a feasible solution though.

I'm definitely open to suggestions how to implement a system which fulfills
goals described above.

In meantime (before someone invents something better :-) I would be very glad
for any advice how the original design could be implemented with current
Unbound codebase.

-- 
Petr Spacek  @  Red Hat