On 03/16/2017 07:13 PM, Eric Luehrsen wrote:
1. BIND runs in a chroot environment. Should I continue this with
Unbound or is this not as much an issue?
Yes. Do chroot. Have init-start copy everything to /var/lib/unbound.
Then allow Unbound only to operate there. Have your init-stop script
copy back to /etc/ only non-poisoned updates. Example, double check
RFC5011 root.key file.
2. Minimal responses to queries (I see how Unbound does that)
3. Resolve RFC1918 addresses (we currently forward those to our
authoritative servers and I believe I see how to do this with Unbound)
"stub:" clause to authoritative servers that normally respond to
recursive queries. "forward:" clause to other recursive search or
forwarding servers (not authoritative). RFC1918, RC4193... see the
section on private zone data under "unbound.conf" on the web page.
4. Gathering statistics and graphing queries per second (not sure how
to accomplish this)
I wanted to thank Eric for taking the time to answer my questions.
Testing is going well and I'm putting these suggestions to work.
Oscar
