Penned by Jan Klemkow on 20120217 3:38.24, we have: | There is an other problem with replacing bind with unbound and nsd. | If you have a setup where you need to do authoritative and recursive | resolving of domains with the same socket and you have to synchronise | with an extern dns server over zone transfers. | | This setup is not possible at the moment with unbound and nsd. | You need a feature in unbound that it forwards zone transfer requests | to another dns server. | | I think it could be possible with the unbound python-extension to | implement such a feature, but in OpenBSD Base there will no unbound | with this kind of extension. | | I think we need modern bind in ports if we do the replacement. So that | the admins out there could easily use OpenBSD as a DNS-Server with such | extra features. | -- | Jan Klemkow
I have totd resolving from unbound which gets some info from nsd on the same system. (yes, I should try Ryan's DNS64 unbound diff...) It is quite possible, you simply need to configure the various daemons to see each other at alternate ports and let the recursive be port 53. If you think you need both recursive and authoritative on the same IP and port 53, then you miss the point of the separation. You can still accomplish this by using pf to redirect traffic based on the need for recursion vs authoritative service, aka local systems tend to need recursion while remote only need to see authoritative... but it is arguably simpler to just use a different IP for each. Thanks, -- Todd Fries .. [email protected] _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:[email protected] | "..in support of free software solutions." \ sip:[email protected] \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
