On 22.1.2015 10:37, Yuri Schaeffer wrote: > Hi Petr, > >> I would like to know if it is possible to somehow combine 1 custom >> python module with two instances of iterator modules (with different >> configurations). > > I don't see a way to do that within a reasonable amount of work. Might I > suggest sharing the problem you are trying to solve with the list, rather > than your solution?
The purpose of this exercise is to help with DNSSEC validation on roaming machines & support DNS split views at the same time. Fundamental assumption: Internal & external DNS view are both signed or both unsigned. It should work like this: 1) Probing/preparation when client connects to a network: Client probes if servers advertised by DHCP support DNSSEC: a) If DHCP-advertised servers *do support* DNSSEC -> use them for everything, do full validation. b) If DHCP-advertised servers *do not support* DNSSEC: - Find a hole in firewall so we can contact DNS servers on public Internet. 2) Query processing for cases where local servers do not support DNSSEC: - Do recursion and validation using external DNS servers. a) If result is SECURE -> return result. b) If result is provably INSECURE -> query local servers advertised by DHCP and return whatever they returned. This algorithm covers DNS split-views with internal unsigned views pretty nicely as long as the fundamental assumption holds. Thank you for any implementation advice! -- Petr Spacek @ Red Hat _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
