UNBOUND AXFR

[Luiz Fernando Softov]

Hi,

I understand the unbound purpose, as a recursive dns server.

Unbound has auth-zone but doesn't act as fully authoritative?
As the doc:
- for-downstream: yes, and when used in this manner make unbound respond
like an authority server.

If I understand right and want to be fully authoritative I need NSD or
BIND9?

I read some parts of the code to understand more.
I have used the same zone in unbound and NSD, and they reply the same way.

If unbound downloads the zone using http without authentication,
And can download the zone receiving XFR replies, why just don't reply to
XFR queries?
Even an AXFR (without IXFR).

Since the first unbound was released, it has grown.
Is there a bigger reason, or is it just because unbound will always be
focused on a recursive server?

I don't want to need to run another daemon with other dependencies, to do
something that is already partially done.
That means having another, totally separate control.

If it's not and will not become possible (even if someone coded that, PR),
that's fine.
It's just, I really wanted to know if there was a specific reason, as most
of the features are already there.

Thanks a lot for the reply.



Em ter., 13 de jul. de 2021 às 12:42, Unbound <unbound at tacomawireless.net>
escreveu:

> On 2021-07-13 03:42, Luiz Fernando Softov via Unbound-users wrote:
> > I was trying to use auth-zone and I succeeded in getting it running.
> > Simple example.com and in-addr.arpa zones.
> > Then I used ldns-keygen, ldns-signzone and created signed zones.
> >
> > When I was trying to transfer the zone I figured out that unbound don't
> do
> > AXFR or IXFR.
> >
> > In the doc
> > If  you  point it at another Unbound instance, it would not work
> > because that does not support AXFR/IXFR for the zone, but if you
> > used  url:  to  download the zonefile as a text file from a web-
> > server that would work.
> >
> > Is there any reason for this working that way?
> > Unbound was written for the same people* that write NSD, correct?
> >
> > Even the same lib LDNS is present in the code.
> >
> > ps. a long time since 1.7.1 was released, I needed to compile the develop
> > branch (1.7.2), since there are a lot of corrections, leak stuff, ...)
> >
> > Unbound already has auth-zone, update using http :O, why don't AXFR and
> > IXFR?
> > XFR also provides security, best I know.
> >
> > Is this related with no time to code? A software design?
> > Are There plans support XFR?
> >
> > I can try to code and make a Pull Request?
> > Or is there some other reason, and this can't be done?
> >
> > I want to just use unbound, don't want to use nsd or bind with stub.
> If I understand your questions correctly. I think you misunderstood
> unbound'
> purpose.
> Unbound, altho it runs as a service, is more a Client. Much the same as
> your
> web browser is a web client, not a web server. It searches and looks at
> web
> pages.
> It doesn't create or serve them. It's much the same with Unbound. While
> you
> could
> technically dump the query chain from the query log to a zone file. It's
> not
> it's
> intent to this sort of thing. What you're asking about is more the
> function
> of an
> authoritative name server, not a recursive server (client).
>
> HTH
>
> --Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210713/3ed38777/attachment.htm>