Maintained by: NLnet Labs

[Unbound-users] serving stub-zones authoritatively

David Blacka
Wed Oct 1 21:11:49 CEST 2008


On Oct 1, 2008, at 2:52 PM, Paul Wouters wrote:

> On Wed, 1 Oct 2008, David Blacka wrote:
>
>> What I think you are getting at is that it should be possible to  
>> have unbound and nsd running on a box, and have that box be a  
>> resolver for most things or most clients, but actually be  
>> authoritative for the stuff running on nsd.
>
> Argh. This is a "too many buttons for people to push" problem. We're  
> still seeing
> combined auth/resolver servers because of bind, and it's bad in  
> general. Let's
> not try and repeat it using nsd+unbound hacks.
>
> Run them on seperate machine's or IP's as indepdendant services. If  
> you want
> unbound to catch up on nsd reloads, script it so that unbound drops  
> its cache.

OK, so what do I do if I don't have multiple machines or multiple  
IPs?  I think you are suggesting that I can't use unbound.

I'll admit that the combined resolver/auth server isn't a good model,  
and, indeed, that is why unbound and nsd are strictly one thing or the  
other.  However, there are people that will want to run in this  
combined mode, and some that, arguably, will need to.  So, we either  
tell those folks to take a hike because they are "wrong", or we find a  
way to allow them to use unbound.

Using dnsproxy might be good enough.  OTOH, it might also be nice to  
not force these people to run *three* separate packages in order to do  
what they want.

--
David Blacka                          <davidb at verisign.com>
Sr. Engineer          VeriSign Platform Product Development






-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3899 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20081001/faf5c0dd/attachment.bin>