On Tue, Oct 13, 2009 at 20:53, Greg A. Woods <[email protected]> wrote: > At Thu, 8 Oct 2009 10:41:20 -0400 (EDT), Paul Wouters <[email protected]> > wrote: > Subject: Re: [Unbound-users] NOTIFY implementation to unbound >> >> On Thu, 8 Oct 2009, Marcus Alves Grando wrote: >> >> > The main idea is create one way to recursive server keep all my zones >> > freshly, without update all process or less as possible. >> >> Would using a forward zone address this? >> >> # Forward zones >> # Create entries like below, to make all queries for 'example.com' and >> # 'example.org' go to the given list of servers. These servers have to handle >> # recursion to other nameservers. List zero or more nameservers by hostname >> # or by ipaddress. Use an entry with name "." to forward all queries. >> # forward-zone: >> # name: "example.com" >> # forward-addr: 192.0.2.68 >> # forward-addr: 192.0.2...@5355 # forward to port 5355. >> >> The description does not make it clear whether or not the responses are >> always forwarded, or whether they are cached. > > I've been wondering the same thing for a long time now. I think based > on my experience with one site where I've set up unbound using > forward-addr they are cached, which would-be/is (IMHO) wrong.
Why? I don't consider this wrong - Unbound is full caching resolver and not just stub resolver. I guess it could be per forward option, but it's not wrong. > Ultimately though I like the NOTIFY solution best. And it's direct violation of RFC1996. I wouldn't call it "solution", but a "hack". While I consider it to be fine for Marcus (it's his network after all), I would be extremely unhappy to see this in unbound upstream. > Sites converting from BIND will already be using NOTIFY. Eh? Could you point me to the bind9 documentation saying that Bind9 will flush the cache if it receives notify? > The so-called "security" issue for NOTIFY is a bunch of FUD-mongering. > There are several ways to make sure unauthorised NOTIFY messages don't > cause any harm. And there are several ways how to make it compliant with existing protocols, there were several mentioned and I am adding another one: Configure snmptrapd with action to call unbound-control flushcache and trigger SNMP trap when zone changes. Ondrej -- Ondřej Surý <[email protected]> http://blog.rfc1925.org/ _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
