Hi Francis,
Welcome! Some quick notes from my part, inline.
Best regards,
-- Yorgos
On 18/12/2023 10:08, Francis Turner via Unbound-users wrote:
Hi Everyone,
I’m a brand new user of the mailing list. I work for ThreatSTOP which
makes RPZ’s available on a variety of DNS platforms.
Recently we’ve been asked to support unbound.
Several years ago I looked at this and, at the time, there was no way to
use a TSIG key to secure zone transfers and looking at the documentation
today that seems to still be the case.
Indeed, although adding TSIG support for zone transfers is part of our
plans.
I have an ubuntu based example server running that I am able to get RPZ
into by means of an external shell script that does a dig and sed
pipeline. Is this the preferred method? And/or has someone got clear
documentation on how to do this better?
I will be happy to contribute my example configs (and RPZ update script)
back to the project if there are no better ones around.
I have two questions, assuming that the shell script method is the
correct approach
1. Once I have updated the rpz zonefile, should I use “unbound-control
reload” to get the new RPZ in or is there a better alternative
(auth_zone_reload )?
Reloading just that one zone is better time-wise.
Based on the contents of the RPZ zone itself (the kind of triggers it
uses, in particular rpz-nsdname and rpz-nsip since these will access
records already in the cache), also emptying the cache through a regular
reload may be what you need instead.
2. I think I’m correct that unbound-control log_reopen should be called
in the postrotate stanza of a logroate.d config ?
If you specify your own configuration file then yes.
If not, then logs are directed to the syslog which should be rotated
automatically.
Thanks in advance for any and all assistance
Regards
Francis
*Francis Turner *
Threat STOP Global SE
JP Cell: +81-8080404701 | US Cell: +1-760-402-7676
Office: +1-760-542-1550 | Line: francisturner
fran...@threatstop.com <mailto:fran...@threatstop.com> |
www.threatstop.com <http://www.threatstop.com/>
*Weaponize Your Threat Intelligence***
“If You Don’t Build It, They Definitely Will Not Come” – P. Vixie
