On Tue, 14 Feb 2012 08:09:16 +0000 Peter van Oord van der Vlies <peter.vanoordvandervl...@itisit.nl> wrote:
> Hello, > > Why replacing bind ? Because bind is full of security related bugs and a bloatware. Yours C. O. > Kind Regards > > Peter > > ----- Oorspronkelijk bericht ----- > Van: Bjvrn Ketelaars [mailto:bjorn.ketela...@hydroxide.nl] > Verzonden: Monday, February 13, 2012 10:35 PM > Aan: m...@openbsd.org > <m...@openbsd.org>; tech@openbsd.org <tech@openbsd.org> > Onderwerp: Unbound in base > > Hello, > > After some recent discussions [1, 2] on the topic of unbound in base, > and (more important) really liking the idea of an alternative for > BIND in base, I made a start with fitting the different pieces of the > puzzle. What is finished: > > 1.) Integration of ldns 1.6.12 and unbound 1.4.15 and writing of > relevant Makefile wrappers. Wrapper script also compiles and installs > drill; 2.) Testing (read: does it compile and work) on AMD64. > > Stuart Henderson had some good remarks on integrating the above [3]. > What do you guys think of the following: > > What to do with the BIND tools (dig/host/nslookup)? > > Unbound offers drill. From drill.1: "The name drill is a pun on dig. > With drill you should be able get even more information than with > dig.". Proposal therefore is to replace the BIND tools with drill. > > Do we run unbound-anchor automatically? if so, how do we handle > possibly not having working DNS at that time to resolve data.iana.org > (http://data.iana.org) (http://data.iana.org)? > > From unbound-anchor.8 I understand that unbound-anchor can be run > from the command line, or run as part of startup scripts _before_ the > actual (unbound) DNS server is started. So there is no need for DNS. > Proposal therefor is to run unbound-anchor automatically before > starting the unbound daemon (rc_pre in > unbound rc-script). > > > > How and when do we automatically generate unbound-control keys? if > so, where should that be done? b& > > From unbound-control.8: The script unbound-control-setup generates > these control keys in the default run directory. If you change the > access control permissions on the key files you can decide who can > use unbound-control. Run the script under the same username as you > have configured in unbound.conf or as root, so that the daemon is > permitted to read the files, for example with: sudo -u unbound > unbound-control-setup. If you have not configured a username in > unbound.conf, the keys need read permission for the user credentials > under which the daemon is started. The script preserves private keys > present in the directory. After running the script as root, turn on > control-enable in unbound.conf. > > The unbound-control-script can be called from rc->make_keys(). The > knob 'control-enable' can be set as default. > > After tar/gzip the source files and Makefile wrappers weigh ~4.6MB. A > bit to large to send to this list. if anyone feels like looking at > the workb&do not hesitate to mail me. > > Again, what do you guys think? > > Kind regards, > > BjC6rn > > > [1] http://marc.info/?l=openbsd-misc&m=132205020820910&w=2 > [2] http://marc.info/?l=openbsd-tech&m=132573371521516&w=2 > [3] http://marc.info/?l=openbsd-misc&m=132217547525487&w=2
