On Oct 1, 2008, at 2:52 PM, Paul Wouters wrote: > On Wed, 1 Oct 2008, David Blacka wrote: > >> What I think you are getting at is that it should be possible to >> have unbound and nsd running on a box, and have that box be a >> resolver for most things or most clients, but actually be >> authoritative for the stuff running on nsd. > > Argh. This is a "too many buttons for people to push" problem. We're > still seeing > combined auth/resolver servers because of bind, and it's bad in > general. Let's > not try and repeat it using nsd+unbound hacks. > > Run them on seperate machine's or IP's as indepdendant services. If > you want > unbound to catch up on nsd reloads, script it so that unbound drops > its cache. OK, so what do I do if I don't have multiple machines or multiple IPs? I think you are suggesting that I can't use unbound. I'll admit that the combined resolver/auth server isn't a good model, and, indeed, that is why unbound and nsd are strictly one thing or the other. However, there are people that will want to run in this combined mode, and some that, arguably, will need to. So, we either tell those folks to take a hike because they are "wrong", or we find a way to allow them to use unbound. Using dnsproxy might be good enough. OTOH, it might also be nice to not force these people to run *three* separate packages in order to do what they want. -- David Blacka <davidb at verisign.com> Sr. Engineer VeriSign Platform Product Development -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3899 bytes Desc: not available URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20081001/faf5c0dd/attachment.bin>