Re: bind -> unbound/nsd

To: current-users%netbsd.org@localhost
Subject: Re: bind -> unbound/nsd
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Mon, 22 Aug 2016 13:40:24 +0200

On Mon, Aug 22, 2016 at 12:21:00PM +0100, Patrick Welche wrote:
> On Fri, Aug 19, 2016 at 06:13:13PM +0200, Joerg Sonnenberger wrote:
> > On Fri, Aug 19, 2016 at 09:55:48AM +0100, Roy Marples wrote:
> > > For example, I would use nsd on exactly one machine in my environment,
> > > my public facing DNS server which is exactly where it belongs.
> > > 
> > > On the other hand, all my other BSD machines run unbound as a local
> > > caching resolver.
> > 
> > To slightly expand that. You don't need nsd if you just want to serve a
> > few local host names for a local network. You only need nsd if you want
> > to provide an authoritive DNS server. IMO that is a decently small use
> > case that it doesn't justify the incluse into the base system.
> 
> I know nothing of bound / nsd - in bind I currently serve a local
> domain using zones fetched from the authoritative server, so it
> isn't authoritative, and it isn't only cacheing - how does that fit
> in the new world?

For unbound, there are essentially three different ways to answer a
query:
(1) Recursion to some upstream name server like the root servers.
(2) Local (non-authoritive) entries
(3) Stub zones, e.g. explicit redirect to an authoritive server.

If you only care about A, AAAA, PTR, SOA and TXT for internal use, (2)
is enough. The answers won't be authoritive, but you can easily specify
the data in the config file and/or manipulate it via the control socket.
The latter can also be used for some forms of Dynmic DNS.

If you need authoritive answers or more control of the zone like DNSSEC,
wildcards or CNAME, you can use stub zones to implement a split horizon.
E.g. you tell unbound explicitly that example.com. should be resolved via
192.168.1.1 and not via whatever is found in com.

One of the biggest the reason why unbound doesn't do authoritive is that
it makes it a lot easier to avoid a large class of cache poisoning
attacks. For typical local network uses in the SOHO style, it isn't
needed either.

Joerg

References:
- Re: bind -> unbound/nsd
  - From: Christos Zoulas
- Re: bind -> unbound/nsd
  - From: Roy Marples
- Re: bind -> unbound/nsd
  - From: Joerg Sonnenberger
- Re: bind -> unbound/nsd
  - From: Patrick Welche

Prev by Date: Re: bind -> unbound/nsd, Re: bind -> unbound/nsd
Next by Date: Re: xorg-server 1.18 ready for testing on x86 and shark
Previous by Thread: Re: bind -> unbound/nsd
Next by Thread: Re: bind -> unbound/nsd
Indexes:

Home | Main Index | Thread Index | Old Index