On Thu, 21 Mar 2019, Rick van Rein via Unbound-users wrote:
I am using libunbound for DANE-based realm-crossover for Kerberos. This requires the KDC to map hosts to realms via DNSSEC, but otherwise it is just a wrapper around the KDC, https://github.com/arpa2/kxover/tree/tls-based-attempt
neat!
1. Does libunbound cache like an Unbound server would, for the duration of the TTL if the program does not exit before?
Yes.
2. The KDC and my daemon each use libunbound. Does that mean they each have their own cache, and if so, is there a way to combine their storage and validation efforts?
If your want to trust your system unbound, don't do validation yourself and check the AD bit? If you want to do validation in the app for security, then you cannot trust the unbound daemon's validation. So I am not quite sure what you are asking for.
I could speedup lookups with an Unbound daemon behind libunbound, but that'd give three caches and three independent validations!
Everything on localhost could use the unbound daemon on 127.0.0.1 as forwarder, so it would use its cache. You will still have some duplicate cache, but at least no additional latency since it is all local after the unbound daemon put the data in its cache. Paul
