Re: [CURRENT] unbound: zonefiles?

From: O. Hartmann <ohartman_at_zedat.fu-berlin.de>
Date: Mon, 30 Sep 2013 16:45:49 +0200
On Mon, 30 Sep 2013 07:28:36 -0500
Mark Felder <feld_at_FreeBSD.org> wrote:

> On Thu, Sep 26, 2013, at 4:26, O. Hartmann wrote:
> > 
> > I try my first steps with "unbound" on most recent current and
> > snealing through the web I find interesting things and howto's. But
> > I realise if I'd like to replace my office's DNS server (based on
> > BIND as it was part of the FreeBSD world) I run into a serious
> > problem regarding the zone- and authorative files keeping all the
> > PTR and A records. As I can see in the unbound.conf, the statements
> > of those files (address to name resolution, name to address
> > resolution) is now somehow hard coded into unbound.conf via those
> > appropriate config tags like local-zone and local-data. Since I
> > have some larger files defining a local domain, I'd expect having a
> > data file to be loaded.
> > 
> 
> Unbound exists as a project to be a very fast, lightweight, and secure
> DNS *recursor*. It is not meant to be authoritative for DNS zones;
> it's for caching lookups only. However, they did include the ability
> for you to manually configure zones/records in its config file but
> it's not very robust. I use it to set a single static record on my
> LAN, but it is of no use to the outside world. If I opened it to the
> outside world I'd just end up with an open DNS resolver which is a
> very bad idea. (openresolvers.org)
> 
> BIND functioned as both roles. The lack of separation is often why it
> is criticized. DJB made the separation of roles famous when he
> released DJBDNS which includes two daemons: dnscache and tinydns.
> 
> The complementary daemon by the Unbound authors (NLNet Labs) is called
> nsd. This is probably what you're looking for. Please keep in mind you
> cannot run both nsd and unbound on the same IP as they both cannot
> listen on the same port (53).


I tried to replace the "gone" BIND in world with one from ports and
ended up in a minor catastrophy. I consider everything in ports running
prefixed from /usr/local, so I'd expect /usr/local/etc/namedb/ be the
place where the config is placed. But - it isn't.

It should be marked more clearly that local_unbound is really not for
replacing BIND. I got this impression after BIND was killed from the
sources and unbound showed up out of the blue. And the documentation
also does not state clearly that it isn't suitable. More the opposite,
if someone isn't aware.

For my internal LAN, I managed now to resolv a couple of hostnames into
IPs and IPs into hostnames. BIND was clearly an overhead for doing so,
unbound seemed quite adequate but as I understand you correct, it isn't
though.

Regards,

Oliver

Received on Mon Sep 30 2013 - 12:41:01 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:42 UTC