On Wed, 14 Sep 2011, Ed - 0x1b, Inc. wrote:
I have a feature request for Unbound: Orientation
Could Unbound use the same DNSSEC methods that confirm the root name
servers to also confirm that an authoritative server on the local
network segment is affirmatively authoritative, private or fqdn? What
this tells me is that my system knows for certain that it is in a
particular network and domain. If so, it can change the firewall rules
and run services as well as scripts for synchronization, etc... These
are all things I would only want to do if I were on my own network. Or
maybe I would want to do them differently depending on my system's
network/domain orientation. This is a question more and more systems
will face, and I think Unbound can be the best way to know where one
is in these networks.
As a bonus, if Unbound could communicate the system's orientation by
way of D-bus it would be even more useful. [re: systemd?]
I think it would be more the other way around (as Wouter has been
experimenting with using dnssec-trigger). NetworkManager/DBus determines
your network, and reconfigured unbound appropriately.
Perhaps you can do something with unbound-anchor for your private keys,
but in the end, anyone that can replay dnssec data can "pretend" to be
your secure network, so DNS is not a good meassurement.
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
