[Unbound-users] NOTIFY implementation to unbound

Marcus Alves Grando marcus at sbh.eng.br
Thu Oct 8 14:24:16 UTC 2009


Hello,

On 10/08/2009 05:15 AM, W.C.A. Wijngaards wrote:
> Hi Marcus,
> 
> The patch code looks fine, but the problem is security for this.
> 
> If you were to create a small program listening on port 12345 that
> runs next to your unbound servers, that flushes the zone when notified
> (using unbound-control on the local machine). evldns could be easy to
> build such a thing.  Then direct the notifies to that other port number.
> Would that solve your issues in an architecturally sound manner?
> 
> since ldns has some tsig functionality, that could then also be brought
> to bear to secure the situation properly.

The main idea is create one way to recursive server keep all my zones
freshly, without update all process or less as possible.

Implementing notify to unbound I don't need to change anything in master
server, but need to respect RFC and not implement anything then notify.

Your manner, creating evldns daemon in another port is secureless too.
Yes, it's another port but notify does not include security option. If
same people discovery evldns port is the same thing as implement notify
to unboud.

I have no problem with evldns daemon and yes, it will be solve my
problem, but for me it's another thing to take care, create some way to
keep running, another procedure in case of fail to our operators, etc.

If you guys thing that notify is not a better way, I'll create evldns
daemon without problem, but for me it's a same thing.

Best regards.

> 
> Best regards,
>    Wouter
> 
> On 10/07/2009 09:58 PM, Marcus Alves Grando wrote:
>> On 10/05/2009 03:55 PM, Marcus Alves Grando wrote:
>>> Hello guys,
>>>
>>> We started to test unbound in our internal DNS servers, but when has
>>> some zone update we need to wait until ttl expire to had a fresh
>>> information. To solve this problem I implemented NOTIFY part in unbound
>>> to flush qname in cache.
>>>
>>> I think that can be used in many cases, since most of times we need to
>>> propagate fast DNS modifications to our DNS internals.
>>>
>>> I need to implement acl yet (notify-access-control), but what
>>> maintainers think about?
>>
>> Complete version with acl attached. Need flex/bison to recreate related
>> files.

-- 
Marcus Alves Grando
marcus(at)sbh.eng.br | Personal
mnag(at)FreeBSD.org  | FreeBSD.org



More information about the Unbound-users mailing list