Maintained by: NLnet Labs

Does "stub-prime: yes" refresh NS list as zone apex changes?

W.C.A. Wijngaards
Thu Sep 29 09:27:16 CEST 2016


Hi Viktor,

On 29/09/16 09:14, Viktor Dukhovni via Unbound-users wrote:
> 
> I read that "stub-prime: yes" obtains the initial "NS" list from
> the zone's parent as usual, but what happens after that?  Is that
> "NS" list effectively "frozen" for the life-time of the unbound(8)
> server process, or does it get updated as the NS records change at
> the zone apex?

Yes they are updated when their TTL expires. Much like the way that root
hints are primed and updated.

Best regards, Wouter

> 
> The reason I ask is that when forwarding most queries to an
> upstream cache:
>  
> 	forward-zone: 
> 		name: "."
> 		forward-addr: 192.0.2.1
> 		forward-first: yes
> 
> it is tempting to handle exceptions via:
>  
> 	stub-zone: 
> 		name: "example.net"
> 		stub-prime: yes
> 
> where queries for "example.net" are not forwarded upstream, but
> instead go direct to the authority servers.  However, what is not
> clear from the documentation, is whether the NS RRset obtained via
> "stub-prime: yes" is ever updated.  The idea here is not to go to
> some other set of servers that manually configured, but rather to
> avoid indirect forwarding, so updates would in fact be wanted for
> this to work.
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20160929/a6ac7d87/attachment.sig>