Looking for dnssec-triggerd alpha testers!
paul at xelerance.com
Thu Sep 22 18:26:13 UTC 2011
On Thu, 22 Sep 2011, Dan Williams wrote:
> But I'm not really familiar with unbound. Is it a long-running service?
Yes, It's a fully dnssec validating caching resolver. You start it at boot
and leave it running.
> What does its config file look like? Does it re-read config data on
You properly talk to it via unbound-control, which uses SSL certs between
it and the daemon. No need to re-write config files or send it weirdo
> Is there any case you'd run more than one instance at a time,
> like we do with dnsmasq when you have virtual machines that use dnsmasq
> as the forwarding nameserver between the NAT-ed VM and the host?
You could, but in general one does not. Unlike dnsmasq, unbound delivers no
dhcp or other services. It is just a very secure DNS resolver.
> How complicated is the config file format? Does it have the ability to
> specific different nameservers on a per-zone basis?
Yes you can specify specific forwarders for specific zones using the forward
and stub sections (not sure if you can send these via unbound-control currently)
You can even assign those a DNSSEC key, so you can validate non-public zones
that would normally be proven "not to exist" in the real world.
>> which you got via DHCP (aka ISP's nameservers). Those servers perform
>> caching so local unbound/bind will use them and there won't be increased
>> DNS traffic over the Internet due bypassing those caches.
More information about the devel