Re: Looking for dnssec-triggerd alpha testers!

On Thu, 22 Sep 2011, Dan Williams wrote:

But I'm not really familiar with unbound.  Is it a long-running service?

Yes, It's a fully dnssec validating caching resolver. You start it at boot
and leave it running.

What does its config file look like?  Does it re-read config data on

You properly talk to it via unbound-control, which uses SSL certs between
it and the daemon. No need to re-write config files or send it weirdo

Is there any case you'd run more than one instance at a time,
like we do with dnsmasq when you have virtual machines that use dnsmasq
as the forwarding nameserver between the NAT-ed VM and the host?

You could, but in general one does not. Unlike dnsmasq, unbound delivers no
dhcp or other services. It is just a very secure DNS resolver.

How complicated is the config file format?  Does it have the ability to
specific different nameservers on a per-zone basis?

Yes you can specify specific forwarders for specific zones using the forward
and stub sections (not sure if you can send these via unbound-control currently)
You can even assign those a DNSSEC key, so you can validate non-public zones
that would normally be proven "not to exist" in the real world.

which you got via DHCP (aka ISP's nameservers). Those servers perform
caching so local unbound/bind will use them and there won't be increased
DNS traffic over the Internet due bypassing those caches.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]