Re: fastrpz

On Thursday, December 31, 2015 08:26:49 PM Paul Vixie wrote: > farsight fastrpz is not open source software, or is it free, and i'm fairly > sure that the moderators won't want a long discussion of its features or > terms here. send me e-mail if you're interested in participating in field >

fastrpz

greetings. i've heard that several unbound users have asked about rpz support of late. farsight security is in the late stages of development of "fastrpz", a commercial software package that handles the rpz publish/subscribe functions and offers a fast shared-memory semi-portable api to the

Re: Trying to fetch SRV data with libunbound / libldns

wrapsrv, which is linked from the page below, is an open source tool capable of extracting (and utilizing) SRV records. https://www.farsightsecurity.com/Blog/20160328-stsauver-magic-of-srv/ vixie

Re: What is the most convenient way for logging request including client source address?

Tony Finch wrote: > Paul Vixie via Unbound-users <unbound-users@unbound.net> wrote: > >> if anyone tries dnstap and encounters any trouble, please reach out to >> me. it is farsight's goal to push this bsd-licensed open source >> technology into the community

Re: What is the most convenient way for logging request including client source address?

if anyone tries dnstap and encounters any trouble, please reach out to me. it is farsight's goal to push this bsd-licensed open source technology into the community and to make it easier for all operators to see in real time what their name servers are doing.

Re: TCP fallback on timeout

David Conrad wrote: > On Apr 27, 2017, 4:28 PM -0700, Paul Vixie via Unbound-users > <unbound-users@unbound.net>, wrote: > >> so in effect, TCP is not required, and will never be required. the >> installed base and its long tail matter more than the wording of 1035.

nominalism of standards (Re: TCP fallback on timeout)

Paul Vixie wrote: >> ... > > i'll go further: i think that's a good clarification of and alteration > to the standards. i just don't think it's wise to expect a tcp-only > initiator, or a tcp-only responder, to function reliably. (ever.) so the > standard is nominal, and should guide other

Re: TCP fallback on timeout

Havard Eidnes via Unbound-users wrote: >> Unfortunately, DNS servers aren't required to support TCP. > > IMHO, that is an all too commonly held misconception. Publishing name > servers need to support TCP as well. I'm pretty sure section 4.2 of > RFC 1035 mandates it. It doesn't use the

Re: Response Policy Zone Support

as before, we have code that implements rpz for unbound. however, it is not open-source licensed. any unbound recursive server that operates a passive dns sensor and thus sends its cache miss traffic to SIE, is automatically licensed to be linked against and run alongside "fastrpz" which is

Re: DGA Attack mitigation

Rainer Duffner wrote: Am 09.04.2018 um 21:15 schrieb Paul Vixie >: the source addresses are forged. the victims are not unclean in any way. this is why rrl exists. ... Most people using our resolvers use our CPE, our lines, our servers…. And the

Re: DGA Attack mitigation

Rainer Duffner via Unbound-users wrote: Am 09.04.2018 um 20:04 schrieb Mahdi Adnan via Unbound-users >: Im running 20 Unbound servers and around 20% of response are NXDOMAIN, for queries coming from my clients. Block those