Re: Looking for dnssec-triggerd alpha testers!

[Paul Wouters <paul xelerance com>]

On Thu, 22 Sep 2011, Dan Williams wrote:

> But I'm not really familiar with unbound.  Is it a long-running service?

Yes, It's a fully dnssec validating caching resolver. You start it at boot
and leave it running.

> What does its config file look like?  Does it re-read config data on
> SIGHUP?

You properly talk to it via unbound-control, which uses SSL certs between
it and the daemon. No need to re-write config files or send it weirdo
signals.

> Is there any case you'd run more than one instance at a time,
> like we do with dnsmasq when you have virtual machines that use dnsmasq
> as the forwarding nameserver between the NAT-ed VM and the host?

You could, but in general one does not. Unlike dnsmasq, unbound delivers no
dhcp or other services. It is just a very secure DNS resolver.

> How complicated is the config file format?  Does it have the ability to
> specific different nameservers on a per-zone basis?

Yes you can specify specific forwarders for specific zones using the forward
and stub sections (not sure if you can send these via unbound-control currently)
You can even assign those a DNSSEC key, so you can validate non-public zones
that would normally be proven "not to exist" in the real world.

> > which you got via DHCP (aka ISP's nameservers). Those servers perform
> > caching so local unbound/bind will use them and there won't be increased
> > DNS traffic over the Internet due bypassing those caches.
>
> Understood.

Indeed.

Paul