Marcus, don't get me(us) wrong. Implement whatever suits you, I'm just
against this code in upstream unbound.
Ondrej Sury
On 8.10.2009, at 16:24, Marcus Alves Grando <[email protected]> wrote:
Hello,
On 10/08/2009 05:15 AM, W.C.A. Wijngaards wrote:
Hi Marcus,
The patch code looks fine, but the problem is security for this.
If you were to create a small program listening on port 12345 that
runs next to your unbound servers, that flushes the zone when
notified
(using unbound-control on the local machine). evldns could be easy to
build such a thing. Then direct the notifies to that other port
number.
Would that solve your issues in an architecturally sound manner?
since ldns has some tsig functionality, that could then also be
brought
to bear to secure the situation properly.
The main idea is create one way to recursive server keep all my zones
freshly, without update all process or less as possible.
Implementing notify to unbound I don't need to change anything in
master
server, but need to respect RFC and not implement anything then
notify.
Your manner, creating evldns daemon in another port is secureless too.
Yes, it's another port but notify does not include security option. If
same people discovery evldns port is the same thing as implement
notify
to unboud.
I have no problem with evldns daemon and yes, it will be solve my
problem, but for me it's another thing to take care, create some way
to
keep running, another procedure in case of fail to our operators, etc.
If you guys thing that notify is not a better way, I'll create evldns
daemon without problem, but for me it's a same thing.
Best regards.
Best regards,
Wouter
On 10/07/2009 09:58 PM, Marcus Alves Grando wrote:
On 10/05/2009 03:55 PM, Marcus Alves Grando wrote:
Hello guys,
We started to test unbound in our internal DNS servers, but when
has
some zone update we need to wait until ttl expire to had a fresh
information. To solve this problem I implemented NOTIFY part in
unbound
to flush qname in cache.
I think that can be used in many cases, since most of times we
need to
propagate fast DNS modifications to our DNS internals.
I need to implement acl yet (notify-access-control), but what
maintainers think about?
Complete version with acl attached. Need flex/bison to recreate
related
files.
--
Marcus Alves Grando
marcus(at)sbh.eng.br | Personal
mnag(at)FreeBSD.org | FreeBSD.org
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
