On Thu, 22 Sep 2011, Dan Williams wrote: > But I'm not really familiar with unbound. Is it a long-running service?
Yes, It's a fully dnssec validating caching resolver. You start it at boot and leave it running. > What does its config file look like? Does it re-read config data on > SIGHUP? You properly talk to it via unbound-control, which uses SSL certs between it and the daemon. No need to re-write config files or send it weirdo signals. > Is there any case you'd run more than one instance at a time, > like we do with dnsmasq when you have virtual machines that use dnsmasq > as the forwarding nameserver between the NAT-ed VM and the host? You could, but in general one does not. Unlike dnsmasq, unbound delivers no dhcp or other services. It is just a very secure DNS resolver. > How complicated is the config file format? Does it have the ability to > specific different nameservers on a per-zone basis? Yes you can specify specific forwarders for specific zones using the forward and stub sections (not sure if you can send these via unbound-control currently) You can even assign those a DNSSEC key, so you can validate non-public zones that would normally be proven "not to exist" in the real world. >> which you got via DHCP (aka ISP's nameservers). Those servers perform >> caching so local unbound/bind will use them and there won't be increased >> DNS traffic over the Internet due bypassing those caches. > > Understood. Indeed. Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
