On Dec 12 12:07, Mathieu Arnold wrote:
+--On 12 décembre 2014 05:00:00 -0600 Scot Hetzel <swhet...@gmail.com>
wrote:
| On Fri, Dec 12, 2014 at 4:15 AM, Darren Pilgrim
| <list_free...@bluerosetech.com> wrote
|> On 12/11/2014 11:53 PM, Matt Smith wrote:
|>>
|>> Somebody has let me know that I made an obvious mistake in the above. I
|>> meant that the default rcorder is to run Unbound first followed by NSD.
|>> So to clarify I think in the default situation Unbound starts first,
|>> contacts NSD and gets no answer because it hasn't been started yet and
|>> then fails in some way. Whereas if NSD is running first then Unbound is
|>> happy.
|>
|>
|> Unbound requires SERVERS, but nsd requires LOGIN, a much later
|> checkpoint.
|>
|> The fix would be adding an rcorder override mechanism whereby one could
|> specify additional constraints (like unbound REQUIRE nsd). If there's
|> interest for this, I can see about a patch.
|>
| Would it be better to add:
|
|# BEFORE: unbound
|
| to the dns/nsd rc.d script?
Well, the thing is, a resolver is required way before an authoritative
server is.
Yes. I've been thinking that maybe it's actually in the correct order
really after all. I've worked around my particular problem by changing
the order, but that might not be the case for everyone else.
I'm thinking now why actually do I have DNSSEC validation on my local
intranet domain and reverse DNS anyway? I run two instances of NSD, one
for the LAN which Unbound talks to, and one for the internet which
everyone else talks to. It could be argued that I only need to DNSSEC
sign the internet copies of the zones and not the LAN ones in which case
this problem won't exist. Maybe I should just go down that route
instead.
--
Matt
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
