[Unbound-users] combining python + 2 iterator modules
Petr Spacek
pspacek at redhat.com
Thu Jan 22 17:00:26 UTC 2015
On 22.1.2015 10:37, Yuri Schaeffer wrote:
> Hi Petr,
>
>> I would like to know if it is possible to somehow combine 1 custom
>> python module with two instances of iterator modules (with different
>> configurations).
>
> I don't see a way to do that within a reasonable amount of work. Might I
> suggest sharing the problem you are trying to solve with the list, rather
> than your solution?
The purpose of this exercise is to help with DNSSEC validation on roaming
machines & support DNS split views at the same time.
Fundamental assumption:
Internal & external DNS view are both signed or both unsigned.
It should work like this:
1) Probing/preparation when client connects to a network:
Client probes if servers advertised by DHCP support DNSSEC:
a) If DHCP-advertised servers *do support* DNSSEC -> use them for
everything, do full validation.
b) If DHCP-advertised servers *do not support* DNSSEC:
- Find a hole in firewall so we can contact DNS servers on public Internet.
2) Query processing for cases where local servers do not support DNSSEC:
- Do recursion and validation using external DNS servers.
a) If result is SECURE -> return result.
b) If result is provably INSECURE -> query local servers advertised by DHCP
and return whatever they returned.
This algorithm covers DNS split-views with internal unsigned views pretty
nicely as long as the fundamental assumption holds.
Thank you for any implementation advice!
--
Petr Spacek @ Red Hat
More information about the Unbound-users
mailing list