On Mon, 13 Feb 2012 22:35:15 +0100 BjC6rn Ketelaars <[email protected]> wrote:
> Hello, > > After some recent discussions [1, 2] on the topic of unbound in base, > and (more important) really liking the idea of an alternative for > BIND in base, I made a start with fitting the different pieces of the > puzzle. What is finished: > > 1.) Integration of ldns 1.6.12 and unbound 1.4.15 and writing of > relevant Makefile wrappers. Wrapper script also compiles and installs > drill; 2.) Testing (read: does it compile and work) on AMD64. > > Stuart Henderson had some good remarks on integrating the above [3]. > What do you guys think of the following: > > What to do with the BIND tools (dig/host/nslookup)? I would live them alone. They are used in most of the scripts all over the place. I.e. have a usr.sbin/bind-utils in the source tree. > Unbound offers drill. From drill.1: "The name drill is a pun on dig. > With drill you should be able get even more information than with > dig.". Proposal therefore is to replace the BIND tools with drill. Not, see above. > Do we run unbound-anchor automatically? if so, how do we handle > possibly not having working DNS at that time to resolve data.iana.org > (http://data.iana.org) (http://data.iana.org)? > From unbound-anchor.8 I understand that unbound-anchor can be run > from the command line, or run as part of startup scripts _before_ the > actual (unbound) DNS server is started. So there is no need for DNS. > Proposal therefor is to run unbound-anchor automatically before > starting the unbound daemon (rc_pre in unbound rc-script). Agreed. > How and when do we automatically generate unbound-control keys? if > so, where should that be done? b& > > From unbound-control.8: The script unbound-control-setup generates > these control keys in the default run directory. If you change the > access control permissions on the key files you can decide who can > use unbound-control. Run the script under the same username as you > have configured in unbound.conf or as root, so that the daemon is > permitted to read the files, for example with: sudo -u unbound > unbound-control-setup. If you have not configured a username in > unbound.conf, the keys need read permission for the user credentials > under which the daemon is started. The script preserves private keys > present in the directory. After running the script as root, turn on > control-enable in unbound.conf. > The unbound-control-script can be called from rc->make_keys(). The > knob 'control-enable' can be set as default. unbound-control should be renamed to more convenient 'unboundctl'. > After tar/gzip the source files and Makefile wrappers weigh ~4.6MB. A > bit to large to send to this list. if anyone feels like looking at > the workb&do not hesitate to mail me. > > Again, what do you guys think? > > Kind regards, > > BjC6rn > > > [1] http://marc.info/?l=openbsd-misc&m=132205020820910&w=2 > [2] http://marc.info/?l=openbsd-tech&m=132573371521516&w=2 > [3] http://marc.info/?l=openbsd-misc&m=132217547525487&w=2
